In message <552bb1d3.10...@imperial.ac.uk>, Phil Mayers writes: > On 11/04/15 14:03, Chuck Anderson wrote: > > > I can't stop clients from making certain kinds of queries (unless BIND > > has a feature to refuse such queries or not recurse for them?). > > Whenever a client makes the 'ANY' query, it effectively causes a DoS > > on that name. Luckily the MinTTL is only 30 seconds, so the problem > > goes away after 30 seconds. > > This is a fair point. TBH I wonder if bind mightn't be better caching > ANY as a separate pseudo-type, if I'm understanding the problem correctly.
No. Named caches NXDOMAIN and NOERROR NODATA to ANY queries indendently of qtype (with the exception of DS/NXDOMAIN). Working around bugs in authoritative servers has made recursive servers more complicated than they need to be and removes any presure for authoritative server vendors and their operators to fix broken servers. Today, 16 years after its introduction, we still see authoritative servers that do not respond to EDNS queries. Trying to work around this leads to other servers being mis-classified as not supporting EDNS which in turn leads to validation failures when the zone is signed. I'm getting tempted to remove the work around code for non response to EDNS queries. I'm also tempted to remove the ability to say that EDNS is not supported in named.conf. Named will still fallback to plain DNS on FORMERR and NOTIMP. Yes, this will break lookups to certain zones. Using EDNS extensions will be the next battle field. There are lots of servers that fail to handle unknown EDNS options, flags and versions correctly despite there being specified behaviour for all of these events in RFC 6891 (RFC 2671, its predecessor, failed to specify unknown EDNS option behaviour). Only around 60% of server correctly handle all three extension methods <http://users.isc.org/~marka/summary.html>. Some of that is due to poorly configured firewalls in front of the nameservers rather than the nameservers themselves. Mark > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
