[dns-operations] Stop marking TLD's NS server as EDNS-incapable

Florian Weimer fweimer at redhat.com
Mon Mar 6 10:49:02 UTC 2017

On 03/06/2017 10:55 AM, Shane Kerr wrote:
> Unfortunately if an attacker can send spoofed packets and trigger the
> EDNS downgrade, that will effectively prevent a resolver from using the
> authority servers for some time. That seems like a cheap (for the
> attacker) and difficult to diagnose (for the defender) DoS to me.

This can also happen with queries which trigger FORMERR responses or 
other responses which are interpreted as lack of EDNS0 support (which 
could include timeouts).  This can lead to “query of death” issues even 
on clean networks.

If I recall correctly, I reported this a while ago to DNS implementers 
(maybe around 2010?).  The issue is quite hard to fix because ENDS does 
not provide unambiguous signaling of EDNS support or lack thereof.  At 
least in the past, not all servers sent ENDS-enabled FORMERR responses 
to EDNS queries, and fixing that still doesn't help with timeouts.

For the DNSSEC case, it should be possible to note that servers for 
signed zones must be EDNS-capable, but that does not cover other uses of 
ENDS, obviously.


More information about the dns-operations mailing list