[nsd-users] NSD 4.1.21rc1 pre-release

Anand Buddhdev anandb at ripe.net
Tue May 8 06:52:28 UTC 2018

On 07/05/2018 11:52, A. Schulze wrote:

> Is it intentional to refuse-any on UDP /and/ TCP?
>    https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any-06#section-4.4
>    Implementers SHOULD provide configuration options to allow operators
>    to specify different behaviour over UDP and TCP.
> I've no idea if refuse-any will break something in my networks.
> But if one day something break, it would be nice to know
> NSD could be configured to at lease allow ANY (old behaviour) on TCP.

I also prefer this, to refuse ANY queries over UDP, but allow them over TCP.

Actually, what Knot DNS does is to respond to ANY queries with an empty
answer and the TC bit set. The response is therefore just as small as a
REFUSED response. A genuine client will retry over TCP, and Knot answers
that. I personally prefer this to a REFUSED response.


More information about the nsd-users mailing list