[dns-operations] if you're banning ANY queries, don't forget to ban SOA as well
P Vixie
paul at redbarn.org
Sat Sep 3 17:48:44 UTC 2016
Shane, that change is even easier, but even less likely, than wide scale blocking of ANY.
The proponents of blocking ANY need to do some homework. There's a reason that DNS RRL was created.
Blocking ANY is silly.
Vixie
On September 3, 2016 9:30:59 AM PDT, Shane Kerr <shane at time-travellers.org> wrote:
>Paul,
>
>At 2016-09-02 20:15:05 -0700
>Paul Vixie <paul at redbarn.org> wrote:
>
>> % dig @ord.sns-pb.isc.org vixie.sf.ca.us soa +dnssec
>> ...
>> ;; Query time: 56 msec
>> ;; SERVER: 2001:500:71::30#53(2001:500:71::30)
>> ;; WHEN: Sat Sep 03 03:13:19 UTC 2016
>> ;; MSG SIZE rcvd: 2045
>>
>> (hint: this is sarcasm. banning ANY is silly.)
>
>It almost seems like a bug that BIND is returning all that extra data
>that you didn't ask for in your query.
>
>There's no need for anything in the authority or additional section in
>that answer. You can encourage BIND to give you a shorter answer:
>
>$ dig @ord.sns-pb.isc.org vixie.sf.ca.us soa +dnssec +bufsize=512
>...
>;; Query time: 257 msec
>;; SERVER: 199.6.0.30#53(199.6.0.30)
>;; WHEN: Sun Sep 04 00:23:12 CST 2016
>;; MSG SIZE rcvd: 278
>
>Setting "minimal-responses" in BIND 9's named.conf should fix this.
>
>Cheers,
>
>--
>Shane
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160903/5a6b2168/attachment.html>
More information about the dns-operations
mailing list