[nsd-users] NSD 4.1.21rc1 pre-release
W.C.A. Wijngaards
wouter at nlnetlabs.nl
Mon May 14 11:13:08 UTC 2018
Hi Anand,
On 08/05/18 08:52, Anand Buddhdev wrote:
> On 07/05/2018 11:52, A. Schulze wrote:
>
>> Is it intentional to refuse-any on UDP /and/ TCP?
>>
>> https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any-06#section-4.4
>>
>> Implementers SHOULD provide configuration options to allow operators
>> to specify different behaviour over UDP and TCP.
>>
>> I've no idea if refuse-any will break something in my networks.
>> But if one day something break, it would be nice to know
>> NSD could be configured to at lease allow ANY (old behaviour) on TCP.
>
> I also prefer this, to refuse ANY queries over UDP, but allow them over TCP.
Allright, I have implemented this for the next release. It replies
with a 12byte packet with the TC flag set to UDP queries of type ANY.
That makes the reply smaller than the query.
TCP queries of type ANY are not obstructed, and get a normal answer.
Best regards, Wouter
>
> Actually, what Knot DNS does is to respond to ANY queries with an empty
> answer and the TC bit set. The response is therefore just as small as a
> REFUSED response. A genuine client will retry over TCP, and Knot answers
> that. I personally prefer this to a REFUSED response.
>
> Regards,
> Anand
> _______________________________________________
> nsd-users mailing list
> nsd-users at NLnetLabs.nl
> https://open.nlnetlabs.nl/mailman/listinfo/nsd-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20180514/63a023da/attachment.bin>
More information about the nsd-users
mailing list