In message <[email protected]>, Vernon Schryver writes: > > > done by now. it could have a slightly custom kernel that allowed the = > > > server to specify IP.TTL=3 in sendmsg(). > > > It's been pointed out privately that no kernel hacking would be needed: > > ] From the ip(7) manpage for Linux: > ] > ] IP_TTL (since Linux 1.0) > ] Set or retrieve the current time-to-live field that is > ] used in every packet sent from this socket. > > FreeBSD 9 and no doubt previous versions of the BSD code have: > > } setsockopt(s, IPPROTO_IP, IP_OPTIONS, NULL, 0); > } > } IP_TOS and IP_TTL may be used to set the type-of-service and time-to-live > } fields in the IP header for SOCK_STREAM, SOCK_DGRAM, and certain types of > > That implies that every DNS server implementation with a reasonable > ./configure script to check that IP_TTL or whatever is defined could > and I think should by default set IP.TTL=3 on sockets used to send > UDP responses. > If those system calls work on listen() sockets, you could also > easily limit TCP/DNS responses, but only for extra credit. > In BIND you might want to link the IP_TTL setting to the view, > which would add only a very small complication. > > My mail logs say that I proposed to BIND honchos using the BSD > setsockopt(IP_TTL) in February. I also wrote: > > > it's occurred to me that a tiny IP TTL should be only (or maybe only > > by default) on responses with RD=1. > > RD=1 as the trigger might simplify DNS server configuration issues. > > > My February mail logs also have words from someone unaffliated with > BIND on another mailing list about the idea.
Actually a better criteria is "would you set" RA in the response. > Vernon Schryver [email protected] > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > dns-jobs mailing list > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
