Viktor Dukhovni wrote on 2020-08-28 18:46:
On Fri, Aug 28, 2020 at 06:24:40PM -0400, Puneet Sood via dns-operations wrote:
We (Google Public DNS) have noticed some instances of nameserver
responses for a query coming from a different IP. Our initial plan was
to consider these responses invalid and discard them. However after
reading the text in RFC 1035 and the update in RFC 2181, we wanted to
check what other recursive resolvers are seeing and how they are
handling such responses.
[...]
Not dropping them further weakens the already poor resistance of
non-DNSSEC replies to off-path cache poisoning attacks. Please
drop these, the solution is up to the server operator.
+1. the robustness principle is 180deg out of phase in this case.
The operators of such domains need to clean up their network design.
that, too.
--
Sent from Postbox
<https://www.postbox-inc.com/?utm_source=email&utm_medium=siglink&utm_campaign=reach>
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
