I fixed the patch by moving where it does this check to before query_find as opposed to inside it.
Thanks for the insight and input. - Jared On May 15, 2013, at 8:03 PM, Vernon Schryver <[email protected]> wrote: > I think the patch has a false negative rate of approximately 100%. > To check whether I am wrong again, I set up a test server and tried > two `dig +ignore isc.org any` commands. The first got a TC=1 error > response as expected. The second command got 3500 bytes of RRs via > UDP. I expect (but haven't tested) that all subsequent queries get > normal responses until all of the TTLs expire. > > > So I recommend that those who want to answer all UDP ANY responses > with TC=1 and don't like my real recommendation of "Don't Do That!" > use one of the fancy iptables or other firewall rules for doing that. > Or am I wrong again and no one has offered such rules?--if so, use > one of the rules that simply block ANY (which I also don't like). _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
