> From: Jared Mauch <[email protected]> > The folks that are most concerned with RRL are those expecting queries > from stub resolvers, I think this would mitigate this risk.
} > Is it intentional that the patch does not affect authoritative ANY } > responses? I think the patch would fail to stop the authorities for } > isc.org from answering `dig +dnssec isc.org any @ams.sns-pb.isc.org' } > with almost 4 Kbytes. } } It's somewhat accidental, but I think OK. We disagree on both of those issues. Reflections from recursive servers are bad, but reflections from authorities are as bad if only because many authorities have more resources and so can blast more bits at a DoS target than many recursives. There's also the idea that open recursives should be closed for more reasons than complicity in reflection DoS attacks but authorities cannot be closed. } I think it is fine as it primes the cache if it's a real query, but if it's } fake then it just keeps sending TC=1 until the TTL expires. What are "fake" and "real" queries? I didn't think we were talking about queries that get NXDOMAIN responses or <random>example.com. There would be no need for any patches if there were a way to distinguish forged DoS queries from real queries from the DoS target. That reference to cache priming suggested another thought. As you wrote, the patch does not stop recursion from filling the local cache. The patched code is not used when the local cache already has the answer, as it will after an initial TC=1 response, because BIND sort of pretends that it is authoritative for everything in the cache. That implies the patch should have no effect after an initial ANY query and TC=1 response. I think the patch has a false negative rate of approximately 100%. To check whether I am wrong again, I set up a test server and tried two `dig +ignore isc.org any` commands. The first got a TC=1 error response as expected. The second command got 3500 bytes of RRs via UDP. I expect (but haven't tested) that all subsequent queries get normal responses until all of the TTLs expire. So I recommend that those who want to answer all UDP ANY responses with TC=1 and don't like my real recommendation of "Don't Do That!" use one of the fancy iptables or other firewall rules for doing that. Or am I wrong again and no one has offered such rules?--if so, use one of the rules that simply block ANY (which I also don't like). Vernon Schryver [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
