Sent from my iPhone
> On May 7, 2020, at 16:27, Anand Buddhdev via nsd-users
> <[email protected]> wrote:
>
> On 07/05/2020 22:11, Tuomo Soini wrote:
>
> Hi Tuomo,
>
>> You missed the point.
>> If authoritative answers over tcp with any data, resolver dns can
>> answer to victim with udp.
>
> No, it seems you haven't understood how a resolver works. Suppose a signed
> zone's apex has SOA, A, AAAA, TXT, DNSKEY, MX and NS records, along with
> RRSIG records for all these.
>
> Now suppose a resolver queries for these records individually, one at a time,
> and caches them all.
>
> Finally, suppose a client queries this resolver with an ANY for this zone's
> apex. The resolver will return *all* those cached records to the client.
>
> Whether a resolver gets all these records from the authoritative server with
> a single ANY query, or by querying for the records individually, its response
> to a downstream client's ANY query will be the same. I can tell you with
> certainty that at least BIND behaves this way, because I have experimented
> and observed.
The two of you keep only bringing up one case, amplification with spoofed
source, or open resolver used for amplification. Both are problems.
An authoritative server preventing ANY over TCP might be helping a little bit,
but not much. That degree is where both of you disagree. There is an implicit
requirement that doing ANY over TCP could be useful, for debugging, and should
perhaps not be blocked.
> Before you reply to this thread to tell me I'm wrong, please set up a
> resolver or two, and test this yourself to understand it :)
This comment was unnecessary and impolite.
Paul
_______________________________________________
nsd-users mailing list
[email protected]
https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
