[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well
Shane Kerr
shane at time-travellers.org
Sat Sep 3 16:30:59 UTC 2016
Paul,
At 2016-09-02 20:15:05 -0700
Paul Vixie <paul at redbarn.org> wrote:
> % dig @ord.sns-pb.isc.org vixie.sf.ca.us soa +dnssec
> ...
> ;; Query time: 56 msec
> ;; SERVER: 2001:500:71::30#53(2001:500:71::30)
> ;; WHEN: Sat Sep 03 03:13:19 UTC 2016
> ;; MSG SIZE rcvd: 2045
>
> (hint: this is sarcasm. banning ANY is silly.)
It almost seems like a bug that BIND is returning all that extra data
that you didn't ask for in your query.
There's no need for anything in the authority or additional section in
that answer. You can encourage BIND to give you a shorter answer:
$ dig @ord.sns-pb.isc.org vixie.sf.ca.us soa +dnssec +bufsize=512
...
;; Query time: 257 msec
;; SERVER: 199.6.0.30#53(199.6.0.30)
;; WHEN: Sun Sep 04 00:23:12 CST 2016
;; MSG SIZE rcvd: 278
Setting "minimal-responses" in BIND 9's named.conf should fix this.
Cheers,
--
Shane
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160904/b36278ab/attachment.sig>
More information about the dns-operations
mailing list