[dns-operations] DNS error reporting

Petr Spacek pspacek at redhat.com
Mon Feb 15 09:39:33 UTC 2016

On 12.2.2016 15:35, Shane Kerr wrote:
> George,
> At 2016-02-12 11:43:23 +0000
> George Ross <gdmr at inf.ed.ac.uk> wrote:
>>> Can we invent something which is structured enough so the end node can
>>> translate the message for the user? Or even advise what might be wrong?  
>> Can we invent something where the error response is smaller than, or at
>> least not much bigger than, the original request?  It would be as well not
>> to provide another DDoS amplifier.
> Since the question is copied back in the answer to a DNS query, this is
> tricky. :)
> The only way I can see to do this is by padding the query packet so
> that the response is never bigger than the query.
> This results in three unpleasant alternatives though:
> 1. If the stub resolvers gets a SERVFAIL then re-send the query asking
>    for an error, with padding, and hope that you see the exact same
>    error again.
> 2. Or, the recursive resolver can send an error ID to the client, which
>    the client can then use to get the full error information by using a
>    special query with padding.
> 3. The stub resolver can pad *every* query.
> Option 3 is probably the easiest, and maybe not so bad in these days of
> no-copy packet processing?
> Option 2 is arguably the "best", except that now a recursive resolver
> has yet more state to track. Maybe that doesn't matter, although it may
> be troublesome if the error involves memory problems that mean that it
> can't add any more state.
> Option 1 is nondeterministic. It also means more packets on the wire at
> the exact time when the system is under stress. :(

Maybe we can send the error back only when client is connected over TCP or is
using DNS cookies.

Petr Spacek  @  Red Hat

More information about the dns-operations mailing list