On 06.03.19 15:37, Joe Abley wrote: > if you can find a set of DNS authority servers that silently discards > a particular kind of query, sending such queries through resolvers > that are known to support serve-stale might suppress other queries > and trigger the serve-stale behaviour even though the authority > servers are not actually unresponsive for them. I can provide some statistics for this behavior.
There are currently around 2 million delegations in .ch. 568 domain names are hosted on authoritative name servers where all of them do not respond to some query types. A little more common is that only some do not respond to some query types. I had the feeling that this only facilitates kaminsky style cache poisoning attacks but your example is indeed another attack vector. Daniel _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
