[dns-operations] [DNSOP] bind fails to continue recursing on one specific query

Paul Vixie paul at redbarn.org
Wed Mar 29 13:30:28 UTC 2023


i think there's language slippage in this thread.

Peter DeVries wrote on 2023-03-29 03:51:
> 
> On Tue, Mar 28, 2023, 9:23 PM Dave Lawrence <tale at dd.org 
> <mailto:tale at dd.org>> wrote:
> 
>     ...
> 
>     It is very poor form for nameservers to intentionally not respond to
>     queries under normal operation.  Now if you were getting hammered by
>     an unreasonable volume of them that would be another thing.

so, normal operation != during a ddos.

> 1/4 - 1/3 of all incoming queries matched this signature during DDoS 
> attacks.  It was potentially a quick help.
see also:

http://www.redbarn.org/dns/ratelimits

noting that just about all modern DNS servers have RRL now:

https://duckduckgo.com/?q=dns+rrl&atb=v344-1&ia=web

i suggest linguistic caution when talking about not answering queries. 
DNS RRL is nonmodal and must be nonmodal. we must not answer questions 
that should not have been sent, and many of these are easily detected.

hopefully DNS RRL will be on by default at some nearby point in time.

-- 
P Vixie




More information about the dns-operations mailing list