[dns-operations] Nameserver responses from different IP than destination of request
Paul Vixie
paul at redbarn.org
Sat Aug 29 02:15:28 UTC 2020
Viktor Dukhovni wrote on 2020-08-28 18:46:
> On Fri, Aug 28, 2020 at 06:24:40PM -0400, Puneet Sood via dns-operations wrote:
>
>> We (Google Public DNS) have noticed some instances of nameserver
>> responses for a query coming from a different IP. Our initial plan was
>> to consider these responses invalid and discard them. However after
>> reading the text in RFC 1035 and the update in RFC 2181, we wanted to
>> check what other recursive resolvers are seeing and how they are
>> handling such responses.
>>
>> [...]
> Not dropping them further weakens the already poor resistance of
> non-DNSSEC replies to off-path cache poisoning attacks. Please
> drop these, the solution is up to the server operator.
+1. the robustness principle is 180deg out of phase in this case.
> The operators of such domains need to clean up their network design.
>
that, too.
--
Sent from Postbox
<https://www.postbox-inc.com/?utm_source=email&utm_medium=siglink&utm_campaign=reach>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20200828/7fa58e29/attachment.html>
More information about the dns-operations
mailing list