Ondřej Surý <[email protected]> wrote: > I can definitely say this is not going to be implemented and nobody should.
> Not returning answer is a protocol violation that can lead to DNS
> spoofing window being much larger.
Surely I'm allowed to *not* run a DNS server on an IP address, and dropping
replies surely fits into that space :-)
> There are also servers like BIND 9
> that maintain a state per server/IP address and an attacker can point
> her domain name to your server and use this to manipulate the remote
> server state by asking for such name at the victim resolver.
Yes, that's an interesting concern.
It might be worth the risk.
It seems like the OP should run their selective recursion on a different IP
address than their authoritative.
Then they can have views and do different things. IPv6 makes this trivial.
IPv4 scarcity might make this harder.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] [email protected] http://www.sandelman.ca/ | ruby on rails [
signature.asc
Description: PGP signature
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
