[dns-operations] Always replying to UDP requests with TC=1, good practice or not

Shane Kerr shane at time-travellers.org
Sun Oct 18 16:21:50 UTC 2015


At BII we had to change source code on BIND and PowerDNS to test the behavior. (With PowerDNS it was a one line change because there was already an option to truncate all ANY queries.) :) 

We can send you some patches for testing if you want. 



Stephane Bortzmeyer <bortzmeyer at nic.fr> schreef op 18 oktober 2015 16:33:41 GMT+01:00:
>I had issues with the domain kura.io, since the name servers always
>reply with TC=0 (on IPv4; their IPv6 behaviour is more
>common). According to the DNS hoster, Rage4, it is for "dDoS
>protection" (I assume the goal is to make reflection attacks
>It is the first time I meet this behaviour in the wild.
>Is it a good idea?
>If not, should testing programs like ZoneMaster
><https://zonemaster.fr/> flag such behaviour as risky?
>I can reproduce it with NSD (ipv4-edns-size: 60) but not with other
>programs. Any idea how to do it with BIND or Knot (BIND has
>max-udp-size but, apparently, it is capped to 512 bytes even if a
>lower value is indicated, Knot has max-udp-payload but the server
>refuses to start if it's too low "EDNS payload size is lower than 1220
>bytes for DNSSEC zone")
>dns-operations mailing list
>dns-operations at lists.dns-oarc.net
>dns-jobs mailing list

Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20151018/37674fab/attachment.html>

More information about the dns-operations mailing list