Hi Wouter, thanks for your comments. > One thing I am not sure about is that > allow_minimal, with 512byte responses, does not allow the client to > use dnssec validation, because 512 is often too small to do so. Or do > you want it to use TCP as it receives +TC replies?
Yes it will be +TC replies and requester will retry query via TCP. For reason you said (512bytes is too small for DNSSEC replies) we should not apply allow_minimal to all normal and legitimate users. But IMHO it's useful under some circumstances and worth some codes added. In addition to mitigating amplification attack against legitimate users, another use case of allow_minimal is first step to close open-resolver. According to my experience first step to implement IP address authorization (RFC5358) to open-resolver is investigating who use the resolver and asking them to use appropriate resolver. This work often takes long time especially in large ISP environment. To mitigate DNS amplification attack (by this resolver) during this work we could immediately apply "allow_minimal" as temporary configuration as below. # Step.0: open-resolver's ACL configuration. access-control: 0.0.0.0/0 allow ----- # Step1. investigating who use this resolver… access-control: 0.0.0.0/0 allow_minimal # provide "full service" to definitely legitimate users. access-control: 192.168.0.0/24 allow access-control: 203.0.113.0/24 allow … ----- # Step2. Congratulations! We've identified all IPs of legitimate users access-control: 192.0.2.0/24 allow access-control: 203.0.113.0/24 allow access-control: 192.168.0.0/24 allow # End of ACL The value 512 (bytes) is current optimal value for these purpose since very few stub resolvers implement EDNS0/DNSSEC and many DNS administrators keeps DNS response message size up to 512 bytes to avoid TCP fallback. Regards, -- Daisuke HIGASHI <[email protected]> _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
