[dns-operations] Stop marking TLD's NS server as EDNS-incapable
Florian Weimer
fweimer at redhat.com
Mon Mar 6 10:49:02 UTC 2017
On 03/06/2017 10:55 AM, Shane Kerr wrote:
> Unfortunately if an attacker can send spoofed packets and trigger the
> EDNS downgrade, that will effectively prevent a resolver from using the
> authority servers for some time. That seems like a cheap (for the
> attacker) and difficult to diagnose (for the defender) DoS to me.
This can also happen with queries which trigger FORMERR responses or
other responses which are interpreted as lack of EDNS0 support (which
could include timeouts). This can lead to “query of death” issues even
on clean networks.
If I recall correctly, I reported this a while ago to DNS implementers
(maybe around 2010?). The issue is quite hard to fix because ENDS does
not provide unambiguous signaling of EDNS support or lack thereof. At
least in the past, not all servers sent ENDS-enabled FORMERR responses
to EDNS queries, and fixing that still doesn't help with timeouts.
For the DNSSEC case, it should be possible to note that servers for
signed zones must be EDNS-capable, but that does not cover other uses of
ENDS, obviously.
Thanks,
Florian
More information about the dns-operations
mailing list