[dns-operations] [DNSOP] bind fails to continue recursing on one specific query
Petr Špaček
pspacek at isc.org
Wed Mar 29 13:30:59 UTC 2023
On 29. 03. 23 13:03, Dave Lawrence wrote:
> Peter DeVries via dns-operations writes:
>> Another relevant draft:
>> https://datatracker.ietf.org/doc/html/rfc8906
>>
>> Not sure how, it doesn't address _. as a use case at all and I only
>> see testing for minimal EDNS not minimal qname.
>
> The journey of that document was with, essentially, No Response
> Considered Harmful. While it does go over many specific examples, the
> thrust of it from the Introduction is that not responding to
> legitimate queries is an ambiguous signal that burdens the DNS
> ecosystem even more.
That's right.
Well behaved DNS resolvers might assume that timeout indicates that the
server is not keeping up, and resolver should try another server or
enable throttling for a given non-responsive server (in an attempt to
help server to keep up with load).
In other words, dropping queries from resolvers might/will cause
legitimate clients to not get timely answers, but attackers will not
care and will continue flooding the resolver.
Artificial timeouts also wreak havoc to some RTT estimation approaches etc.
Thus
=> RFC 8906 => It's A Bad Idea To Drop Queries.
--
Petr Špaček
Internet Systems Consortium
More information about the dns-operations
mailing list