On Aug 25, 2014, at 6:05 AM, Maciej Soltysiak <[email protected]> wrote:
> On Mon, Aug 25, 2014 at 9:16 AM, W.C.A. Wijngaards <[email protected]> > wrote: >> Yes. The reddit servers (or likely, their load-balancers) are not >> following the DNS specifications. They are dropping the query and >> they should be replying. There was a draft at the IETF even to mark >> this as harmful, but it did not progress through the standards track, >> I believe. If they want to refuse the query for unclear reasons (what >> is wrong with responding NXDOMAIN?) they could choose from nice error >> codes like SERVFAIL and FORMERR and REFUSED. > Yup. I have a domain that goes through cloudflare. I just asked > cloudflare NSes for a name with a colon and it behaves the same (drop) > When I asked the parents, they answered. > > Cloudflare seems to do the same thing for their customers. > > If not FORMERR, they could've at least send ICMP administratively > prohibited to mark that this particular comms is not ok with them. > That would've made unbound record a failure. > > It's silly because in order to immunize your cache against this you > would have to start your own filtering... That shouldn't be the point. Not a customer of Cloudflare but their help system allows outsiders to submit so I have submitted a help request for this problem (172999). Maybe this is a bug. -- Dave _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
