[dns-operations] [DNSOP] bind fails to continue recursing on one specific query

Petr Špaček pspacek at isc.org
Wed Mar 29 13:30:59 UTC 2023


On 29. 03. 23 13:03, Dave Lawrence wrote:
> Peter DeVries via dns-operations writes:
>>      Another relevant draft:
>>      https://datatracker.ietf.org/doc/html/rfc8906
>>
>> Not sure how, it doesn't address _. as a use case at all and I only
>> see testing for minimal EDNS not minimal qname.
> 
> The journey of that document was with, essentially, No Response
> Considered Harmful. While it does go over many specific examples, the
> thrust of it from the Introduction is that not responding to
> legitimate queries is an ambiguous signal that burdens the DNS
> ecosystem even more.

That's right.

Well behaved DNS resolvers might assume that timeout indicates that the 
server is not keeping up, and resolver should try another server or 
enable throttling for a given non-responsive server (in an attempt to 
help server to keep up with load).

In other words, dropping queries from resolvers might/will cause 
legitimate clients to not get timely answers, but attackers will not 
care and will continue flooding the resolver.

Artificial timeouts also wreak havoc to some RTT estimation approaches etc.

Thus
=> RFC 8906 => It's A Bad Idea To Drop Queries.

-- 
Petr Špaček
Internet Systems Consortium




More information about the dns-operations mailing list