This is probably overblown:

On Mon, 23 Sep 2024, Lars Kollstedt wrote:
[...]
since the discovery of the real name of text.example.com (if this is requestable from unvalidated source IP addresses - almost any source IP address in the "internet" has to be considered unvalidated - since there is no applicable way to validate foreign source addresses on autonomous system interconnects, yet) will make it possible to abuse this RRs for a DoS amplification attack against third parties (the real owners of the forged source IPs).

The attacker just needs to send requests for text.example.com IN TXT with the forged IP of the victim, and the victim will get your hundreds of TXT records
under this name from your server for each of them.

In most cases I would expect rrsets likely to trigger the limit behavior to first cause TC=1 to be triggered, therefore shielding the recipient from the full impact of the large record set. But if you're exposing large rrsets to the public (regardless whether they trigger this particular behavior) it's worth reviewing your server posture to make sure your limits on what's allowed via UDP are reasonable.

--

Fred Morris, internet plumber

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to