On 2009-01-29 at 14:01 +0100, Florian Weimer wrote: > * Mark Andrews: > > The most common reason for recursive queries to a authoritative > > server is someone using dig, nslookup or similar and forgeting > > to disable recursion on the request.
Useful to know, thanks. So someone performing diagnostics on one of the root/gTLD/ccTLD servers would need to remember to dig +norec when checking visibility? Are manual diagnostics going out from the source IP of such auth nameservers considered common? In any case, it's a small enough, and hopefully clued enough, sample of admins that it shouldn't be a problem. Any organisation seeking to add their auth nameservers to a public RBL of such IPs will have to accept the same constraint on needing clued staff. No tears shed at that. > dnscache in "forward only" mode also sets the RD bit, and apparently > does not restrict itself to the configured forwarders list. (This is > based on a public report, not on first-hand knowledge.) Unless any of the root/gTLD/ccTLD nameservers are also running dnscache, it should be safe to drop UDP RD packets from those source IP addresses, as previously described. -Phil
