-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
On 11/20/2015 10:11 AM, W.C.A. Wijngaards via Unbound-users wrote: > Hi Ian, > > On 11/19/2015 09:47 PM, Ian Cohee via Unbound-users wrote: >> Hello all, > >> One of our engineers discovered some interesting behavior while >> testing bad EDNS RRs in Unbound. He discovered that Unbound >> properly checks and identifies a truncated OPT RR as a FORMERR, >> but then returns the truncated OPT RR, resulting in a malformed >> response to a malformed request. I have attached a PCAP file >> that should contain the malformed requests/responses. > > There is a fix now, unbound will remove the EDNS section from that > reply. > > This may cause the sender to think the server does not support > EDNS and then drop EDNS from its queries - and that is exactly > right because its EDNS contents cannot be parsed. And fixed to reply with a valid EDNS record without options in it in the FORMERR message. This is for RFC compliance, as Yuri points out. Best regards, Wouter > > Best regards, Wouter > > >> Has anyone observed this behavior, and if so, had issues from >> it? > >> I'd also like to hear some opinions about this behavior. > >> Thanks, > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJWTvc2AAoJEJ9vHC1+BF+Nil0QAJXwrVExbHiyrKtgtKg26Mmn jrbug55i4tl0UQn7Mph9WvMalzsjMvV5lLFh8bJOsqjJKN0rD1/MIfJdBU3M/Aa8 ZGkUAdvlA4/2PO2fDz01gVA2xvF9CV57psOBs8sYixoVhG7Fi+57QgzSANssFtLr YV+GpNzxrDhL+x605zN/gDeca7kbKbxWzepSqLdVqBtqUUWrob8cMp5Z6FKr2y5y 9d1/s67d8E7TEFbzjASFnr5uQIbz1BjzFARGXmcPeGlsWKVcog/jYESolNyONP98 BfM26H7z2i7aK0zTuJ5cQFBEvRYRv0FXzM/oIl7LMNlpA4Dlzedf2tHQ71FfM6C8 o1rO4/wxgNG14n9e6iI+JXyXKCnk9w4Q4rZ79yKADTG7mYP/GO+6N37p2GtSZUYI 0mBW0ViBQW1M4qgnFndUQgBdrrEudoX1Cv+SXtDdczj/HmjToy0BOxqymCzA/zp3 j93vhIzRrqcdTWvtyMM3zJ3DiB24xvecxfNnV60up1PSBcmNsHtay1S2uPgVWp9G 1OfCX35QBuEDTHI6ERt1cqxisiC7CZxLOexYB07NczTRIuCV5ac1sibAivpm0xsx fij/oZNRTTpNg9ZTaEDCBgmMFixu5kXtUbadpboyua1TvUDZUZJ10W43ick8yT3g sCFaCFhiDwCqF5oIb7XG =cY+N -----END PGP SIGNATURE-----
