[dns-operations] Nameserver responses from different IP than destination of request

Paul Vixie paul at redbarn.org
Sat Aug 29 02:15:28 UTC 2020

Viktor Dukhovni wrote on 2020-08-28 18:46:
> On Fri, Aug 28, 2020 at 06:24:40PM -0400, Puneet Sood via dns-operations wrote:
>> We (Google Public DNS) have noticed some instances of nameserver
>> responses for a query coming from a different IP. Our initial plan was
>> to consider these responses invalid and discard them. However after
>> reading the text in RFC 1035 and the update in RFC 2181, we wanted to
>> check what other recursive resolvers are seeing and how they are
>> handling such responses.
>> [...]

> Not dropping them further weakens the already poor resistance of
> non-DNSSEC replies to off-path cache poisoning attacks.  Please
> drop these, the solution is up to the server operator.

+1. the robustness principle is 180deg out of phase in this case.

> The operators of such domains need to clean up their network design.

that, too.

Sent from Postbox 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20200828/7fa58e29/attachment.html>

More information about the dns-operations mailing list