on TTL expiry BIND sends 'ANY' query, gets back 'NOANSWER'
Mark Andrews
marka at isc.org
Mon Apr 13 23:44:00 UTC 2015
In message <552BB1D3.10800 at imperial.ac.uk>, Phil Mayers writes:
> On 11/04/15 14:03, Chuck Anderson wrote:
>
> > I can't stop clients from making certain kinds of queries (unless BIND
> > has a feature to refuse such queries or not recurse for them?).
> > Whenever a client makes the 'ANY' query, it effectively causes a DoS
> > on that name. Luckily the MinTTL is only 30 seconds, so the problem
> > goes away after 30 seconds.
>
> This is a fair point. TBH I wonder if bind mightn't be better caching
> ANY as a separate pseudo-type, if I'm understanding the problem correctly.
No. Named caches NXDOMAIN and NOERROR NODATA to ANY queries
indendently of qtype (with the exception of DS/NXDOMAIN).
Working around bugs in authoritative servers has made recursive
servers more complicated than they need to be and removes any presure
for authoritative server vendors and their operators to fix broken
servers.
Today, 16 years after its introduction, we still see authoritative
servers that do not respond to EDNS queries. Trying to work around
this leads to other servers being mis-classified as not supporting
EDNS which in turn leads to validation failures when the zone is
signed.
I'm getting tempted to remove the work around code for non response
to EDNS queries. I'm also tempted to remove the ability to say
that EDNS is not supported in named.conf. Named will still fallback
to plain DNS on FORMERR and NOTIMP. Yes, this will break lookups
to certain zones.
Using EDNS extensions will be the next battle field. There are
lots of servers that fail to handle unknown EDNS options, flags and
versions correctly despite there being specified behaviour for all
of these events in RFC 6891 (RFC 2671, its predecessor, failed to
specify unknown EDNS option behaviour). Only around 60% of server
correctly handle all three extension methods
<http://users.isc.org/~marka/summary.html>. Some of that is due
to poorly configured firewalls in front of the nameservers rather
than the nameservers themselves.
Mark
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list