[dns-operations] A denial of server catastrophy waiting to happen ...
Viktor Dukhovni
ietf-dane at dukhovni.org
Fri Dec 16 16:33:39 UTC 2016
> On Dec 14, 2016, at 3:24 PM, Jeff Westhead <Jeff.Westhead at microsoft.com> wrote:
>
> Thanks for pointing that out, Mark. I will look into it.
> We should be returning BADVERS here but we are not.
While you're looking into Mark's report, any chance you could also
fix the related mishandling of queries with an unexpected RRtype?
The correct response is "NODATA" or "NXDOMAIN" as appropriate, not
"NOTIMP"!
In the below example, an "A" query correctly returns NXDOMAIN, but
a "TLSA" query incorrectly returns "NOTIMP". EDNS support would
be another step in the right direction.
$ dig +norecur +noedns +noad -t a _25._tcp.nist-gov.mail.protection.outlook.com @ns1-proddns.glbdns.o365filtering.com
; <<>> DiG 9.11.0-P1 <<>> +norecur +noedns +noad -t a _25._tcp.nist-gov.mail.protection.outlook.com @ns1-proddns.glbdns.o365filtering.com
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46309
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;_25._tcp.nist-gov.mail.protection.outlook.com. IN A
$ dig +norecur +noedns +noad -t tlsa _25._tcp.nist-gov.mail.protection.outlook.com @ns1-proddns.glbdns.o365filtering.com
; <<>> DiG 9.11.0-P1 <<>> +norecur +noedns +noad -t tlsa _25._tcp.nist-gov.mail.protection.outlook.com @ns1-proddns.glbdns.o365filtering.com
;; ->>HEADER<<- opcode: QUERY, status: NOTIMP, id: 55106
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;_25._tcp.nist-gov.mail.protection.outlook.com. IN TLSA
--
Viktor.
More information about the dns-operations
mailing list