[dns-operations] DNS request for ./NS with two extra bytes at the end

P Vixie paul at redbarn.org
Thu May 26 15:22:59 UTC 2022

The robustness principle is diametrically wrong. We must be ultra conservative in what we accept, to put back pressure on silly bugs before they can gain market share.

⁣Get BlueMail for Android ​

On May 25, 2022, 22:58, at 22:58, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
>[This has no operational consequences, it is just idle curiosity.]
>A server receives a few packets/second coming from several IP
>addresses and querying ./NS (like in priming, or may be in some
>reflection attacks). The server was never a root server, of course.
>What is interesting is that all these packets have two extra bytes at
>the end, after the class. The UDP length is correct, but the DNS
>content is not. I don't show you the output of tshark, because it
>ignores these extra bytes (but you can see them with Wireshark or
>other tools). I attached a small pcap.
>The source IP addresses (which may be spoofed) are all registered in
>Did anyone see these requests?
>Side question: what should the receiver do? tshark, as I said, drops
>these extra bytes, Wireshark flags no error (but displays the
>bytes). I did not test them with various DNS servers to see how they
>react. Ignoring the extra bytes in the name of the robustness
>principle? Instead, at least one DNS library rejects the packet as
>dns-operations mailing list
>dns-operations at lists.dns-oarc.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20220526/778b76db/attachment.html>

More information about the dns-operations mailing list