[dns-operations] Always replying to UDP requests with TC=1, good practice or not
Mark Andrews
marka at isc.org
Mon Oct 19 20:49:34 UTC 2015
In message <2246785.9G8M1MizFP at linux-rfx1>, Paul Vixie writes:
> On Monday, October 19, 2015 12:38:17 Tony Finch wrote:
> > Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> > > I can reproduce it with NSD (ipv4-edns-size: 60) but not with other
> > > programs. Any idea how to do it with BIND or Knot
> >
> > You should get this effect using RRL with slip=1
>
> for more commentary on slip=1, see:
>
> http://www.circleid.com/posts/20130913_on_the_time_value_of_security_featu
> res_in_dns/
>
> --
> Paul
With EDNS COOKIES one can require a good server cookie before
providing more of a answer than just BADCOOKIE over UDP. This is
similar in nature to always sending TC=1 but keeps the traffic on
UDP rather than switching the traffic to TCP. It also doesn't
require the authoritative server to keep any per client state.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list