[dns-operations] Nameserver responses from different IP than destination of request
warren at kumari.net
Mon Aug 31 18:19:08 UTC 2020
On Mon, Aug 31, 2020 at 2:11 PM Florian Weimer <fw at deneb.enyo.de> wrote:
> * Puneet Sood via dns-operations:
> > We would be interested in hearing other operator's experience here.
> > Are recursive servers seeing similar behavior from authoritative
> > servers? If yes, are you discarding these responses?
> > Are there authoritative server operators who still need the
> > flexibility afforded by RFC 1035?
> If I recall correctly, while helping to run an academic network I
> encountered this issue on the authoritative server side. That was
> close to twenty years ago, and even back then, it did not occur to us
> to push the resolvers to accept these incorrectly sourced responses,
> instead of getting the authoritative server operator to fix their
The bit that I'm failing to understand is why these continue to exist
-- if everyone (or, everyone other than Google) are ignoring /
dropping these, how / why are they still on the Internet? Is it just
the $whatever are sending these are always deployed next to something
that ain't broke and the operator just hasn't noticed?
Or are perhaps more things accepting these than we expect?
> Or maybe I'm not correctly remembering things, and it wasn't
> DNS but Sun RPC. (Hard to believe that even early BIND 4 didn't get
> this right, and what else could they have been running?)
> Anyway, in my current world, most recursive DNS servers operate behind
> some sort of stateful packet filter, so the server operators on their
> own cannot make these incorrectly source responses work because the
> systems under their direct control never receive them.
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
More information about the dns-operations