-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Dave,
On 08/25/2014 03:24 PM, Dave Duchscher wrote: > On Aug 25, 2014, at 7:56 AM, Dave Duchscher <[email protected]> > wrote: > >> On Aug 25, 2014, at 6:05 AM, Maciej Soltysiak >> <[email protected]> wrote: >> >>> On Mon, Aug 25, 2014 at 9:16 AM, W.C.A. Wijngaards >>> <[email protected]> wrote: >>>> Yes. The reddit servers (or likely, their load-balancers) >>>> are not following the DNS specifications. They are dropping >>>> the query and they should be replying. There was a draft at >>>> the IETF even to mark this as harmful, but it did not >>>> progress through the standards track, I believe. If they >>>> want to refuse the query for unclear reasons (what is wrong >>>> with responding NXDOMAIN?) they could choose from nice error >>>> codes like SERVFAIL and FORMERR and REFUSED. >>> Yup. I have a domain that goes through cloudflare. I just >>> asked cloudflare NSes for a name with a colon and it behaves >>> the same (drop) When I asked the parents, they answered. >>> >>> Cloudflare seems to do the same thing for their customers. >>> >>> If not FORMERR, they could've at least send ICMP >>> administratively prohibited to mark that this particular comms >>> is not ok with them. That would've made unbound record a >>> failure. >>> >>> It's silly because in order to immunize your cache against this >>> you would have to start your own filtering... That shouldn't be >>> the point. >> >> Not a customer of Cloudflare but their help system allows >> outsiders to submit so I have submitted a help request for this >> problem (172999). Maybe this is a bug. > > Cloudflare's response: > >> Hey there, >> >> Because the DNS query "http://reddit.com"; is technically not >> valid (since DNS queries should not contain the protocol URI), >> CloudFlare's DNS servers will not respond to them. >> >> Since these kinds of invalid queries don't get this far in the >> normal DNS system (since they get dropped at the root servers) >> >> Let us know if you need any other help Thanks > > > *sigh* The root servers certainly respond. I got a very neat referral to .com. Well, they list "http://reddit.com"; which is a dotCOM domain with a colon in it, that stops somewhere at the .com servers. And does not reach CloudFlare, so they are right about that one. But the trouble is with "http://www.reddit.com"; because the DNS servers for 'reddit.com' do not respond for it. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJT+zvDAAoJEJ9vHC1+BF+NlYUQAKJvcY4nolr5NMARnmRmYRnv GrMY2GwWKXUaSZuPoz7eryHdAiMkuyIHxdU+5amQKG4ccfdFJ9kbXOsusgVtuGl1 PZpugVhcBVOYHJeT0/fA2HeUoFYAdcN/tMz4JmnhDwSm9OxFdXi2asttichs9uOn R6sWgKShv3Re/5qQPTDlyeLbNx+Fkz72ku5BjQBhyXZOL8NkDXJvb0fkRVnX4v9I CaPYdU+D1a8sQTjPgtTECGBYxfre3VCzRE92dtJQj5NVJZWaycZRc8cPXWyBAiB7 dVRul1SuflDwP32XfFqVV9eQAFaGoAr+jcqRBEKt1/kO/u0a4c31S5gAeDZ1QS2q KQcKog6h3yBw8e04m74ZqujFnsej8GBB7ZmXi1k+W3ZB1uXQ56LPEx1uJ+Uz59aQ FrXi5APRuNtP5IXvkGQ4eO0FTv5GMvqWHbWzB86fuzfngfOB/lwXZ5CrvY6gY1Uj Z2gmYVb9bz37ZcSyOZV9EfVr/bIXhV4QnHyTOuB5kADaWGExHjvwXXn9e783dWRa ay6F6ZdPRRwWmug8HY2lJU6/OLQD1cfTp6+cg7O0Ez+8sMtwwTC+xazikPxx9wNK U8Dx63ooUy7QG+emcimFYYiC1HmgJvGHKBCHpHT5oqFYmyFdNIeir2dwblyt6T6L uhV4XVwBJo39CsPX0IaN =030q -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
