[dns-operations] Configurable TC=1?
Paul de Weerd
pdeweerd at ripe.net
Mon Dec 21 13:34:57 UTC 2015
On 2015-12-21 13:29 , Tony Finch wrote:
> Anand Buddhdev <anandb at ripe.net> wrote:
>> These are VERY important points. Paul advocates RRL all the time,
>> and it is a useful countermeasure. However, I would go one step
>> further. I would say that name servers should simply NOT respond
>> at all over UDP if they are queried for a zone they're not
>> authoritative for.
> I think this would make it unnecessarily hard to debug delegation
> misconfigurations. It's fine to suppress reply traffic if you
> think you are under attack, but ignoring legitimate queries isn't
If your NS is not authoritative for a domain, queries for it are not
I've heard this 'hard to debug' argument before, but I don't buy it.
If a name server doesn't respond, look at the machine to see why that
is. If it's not your machine, get in touch with the people that run
it for you.
If someone misconfigures their setup to point at a node that doesn't
even run a name server, then you don't expect a response either (let's
assume a firewall that doesn't send ICMP unreachable errors for
attempts to hit UDP:53). Why does this expectation change when you
query a name server that's not authoritative? Is it suddenly my
responsibility to answer questions for everything the internet might
dream up, only because I run DNS for a handful of domains?
> The intro of Mark's draft is relevant...
Mark's draft doesn't deal with queries for domains outside of the
authority of the name server. That's a different case that warrants
its own consideration. I'd say his arguments do not apply here.
Bottom line is, do not misconfigure your name servers. And if you do,
figure this out yourself before anyone else does. Why should the
protocol deal with your mishaps? To me it seems that the time of "be
liberal in what you accept" is long gone, with all due respect to Jon
Postel. The new motto should be "Be conservative in what you send and
in what you receive".
Paul de Weerd
More information about the dns-operations