On 07/05/2020 22:11, Tuomo Soini wrote: Hi Tuomo,
You missed the point. If authoritative answers over tcp with any data, resolver dns can answer to victim with udp.
No, it seems you haven't understood how a resolver works. Suppose a signed zone's apex has SOA, A, AAAA, TXT, DNSKEY, MX and NS records, along with RRSIG records for all these.
Now suppose a resolver queries for these records individually, one at a time, and caches them all.
Finally, suppose a client queries this resolver with an ANY for this zone's apex. The resolver will return *all* those cached records to the client.
Whether a resolver gets all these records from the authoritative server with a single ANY query, or by querying for the records individually, its response to a downstream client's ANY query will be the same. I can tell you with certainty that at least BIND behaves this way, because I have experimented and observed.
Before you reply to this thread to tell me I'm wrong, please set up a resolver or two, and test this yourself to understand it :)
Regards, Anand _______________________________________________ nsd-users mailing list [email protected] https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
