[dns-operations] Nameserver responses from different IP than destination of request

Florian Weimer fw at deneb.enyo.de
Mon Aug 31 18:00:00 UTC 2020


* Puneet Sood via dns-operations:

> We would be interested in hearing other operator's experience here.
> Are recursive servers seeing similar behavior from authoritative
> servers? If yes, are you discarding these responses?
> Are there authoritative server operators who still need the
> flexibility afforded by RFC 1035?

If I recall correctly, while helping to run an academic network I
encountered this issue on the authoritative server side.  That was
close to twenty years ago, and even back then, it did not occur to us
to push the resolvers to accept these incorrectly sourced responses,
instead of getting the authoritative server operator to fix their
setup.  Or maybe I'm not correctly remembering things, and it wasn't
DNS but Sun RPC.  (Hard to believe that even early BIND 4 didn't get
this right, and what else could they have been running?)

Anyway, in my current world, most recursive DNS servers operate behind
some sort of stateful packet filter, so the server operators on their
own cannot make these incorrectly source responses work because the
systems under their direct control never receive them.



More information about the dns-operations mailing list