In message <[email protected]>, Florian Weimer writes: > * Mark Andrews: > > > Instead of just causing everyone to hack their code to force TCP > > just return NOERROR, TC=1 and legitimate client will fallback to TCP > > without all the other side effects of this ill considered change. > > This will still break things because prior to the change, large > authoritative ANY responses are truncated without setting TC=1. After > the change, large ANY responses enter the cache and trigger TC=1 > responses to stub resolvers (recursors do not silently truncate ANY > responses, it seems), which may not be prepared to accept such large > responses (or even fall back to TCP).
Such stubs are already broken. TC=1 has always been a expected result. > Some breakage is unavoidable. Considering that ANY queries rarely > give the results expected by the sender, refusing them outright makes > sense to me. So now recursive servers need to try all the authoritative servers trying to get a find non broken server. Then they will return SERVFAIL to the clients which you the hope will do something sensible with the SERVFAIL response. This is a DoS attack on the recursive resolvers. STOP IT. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
