Resolving and caching illegal names
John Thurston
john.thurston at alaska.gov
Tue Jan 24 21:15:58 UTC 2023
My "resolvers" running BIND 9.18.10 and 9.16.36, accept and attempt to
resolve queries for illegal names. They will cache answers for these
names, and answer from cache when asked. What's the thinking here?
I suppose it could be, "The specifications of what is a legal name may
change with time, and we don't want to burden the resolver code by
asking it to validate the string before trying to resolve it."
This comes up because my "resolvers" don't actually resolve. All they
are allowed to do is forward external queries to Akamai, and accept the
response from Akamai. And Akamai (thank you very much), is happy to
accept queries like "What is the A-record for 10.11.12.13?" and reply
with "The answer is 10.11.12.13, and is good for 10 seconds."
Akamai's explanation for this behavior is, ..." the query was made in
error (likely/maybe meant to be type "PTR") and we are trying to save
the resolver from doing the work a query like this would entail."
But what it really means is my validating "resolver" then does the work
of trying to validate the reply it got. It is unable to do so, and
returns a SERVFAIL to the customer.
I haven't yet tried, but I don't expect I can define an RPZ to trap such
illegal names. Can I? If I could, it would reduce the traffic to Akamai,
and the number of validations I'm trying to do.
--
--
Do things because you should, not just because you can.
John Thurston 907-465-8591
John.Thurston at alaska.gov
Department of Administration
State of Alaska
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230124/2612b745/attachment-0001.htm>
More information about the bind-users
mailing list