[nsd-users] NSD 4.1.21rc1 pre-release
Anand Buddhdev
anandb at ripe.net
Tue May 8 06:52:28 UTC 2018
On 07/05/2018 11:52, A. Schulze wrote:
> Is it intentional to refuse-any on UDP /and/ TCP?
>
> https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any-06#section-4.4
>
> Implementers SHOULD provide configuration options to allow operators
> to specify different behaviour over UDP and TCP.
>
> I've no idea if refuse-any will break something in my networks.
> But if one day something break, it would be nice to know
> NSD could be configured to at lease allow ANY (old behaviour) on TCP.
I also prefer this, to refuse ANY queries over UDP, but allow them over TCP.
Actually, what Knot DNS does is to respond to ANY queries with an empty
answer and the TC bit set. The response is therefore just as small as a
REFUSED response. A genuine client will retry over TCP, and Knot answers
that. I personally prefer this to a REFUSED response.
Regards,
Anand
More information about the nsd-users
mailing list