This is probably overblown:
On Mon, 23 Sep 2024, Lars Kollstedt wrote:
[...]
since the discovery of the real name of text.example.com (if this is
requestable from unvalidated source IP addresses - almost any source IP
address in
the "internet" has to be considered unvalidated - since there is no
applicable way to validate foreign source addresses on autonomous system
interconnects,
yet) will make it possible to abuse this RRs for a DoS amplification attack
against third parties (the real owners of the forged source IPs).
The attacker just needs to send requests for text.example.com IN TXT with the
forged IP of the victim, and the victim will get your hundreds of TXT records
under this name from your server for each of them.
In most cases I would expect rrsets likely to trigger the limit behavior
to first cause TC=1 to be triggered, therefore shielding the recipient
from the full impact of the large record set. But if you're exposing large
rrsets to the public (regardless whether they trigger this particular
behavior) it's worth reviewing your server posture to make sure your
limits on what's allowed via UDP are reasonable.
--
Fred Morris, internet plumber
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users