[nsd-users] Unexpected responses to ANY queries over TCP
anandb at ripe.net
Thu May 7 20:26:58 UTC 2020
On 07/05/2020 22:11, Tuomo Soini wrote:
> You missed the point.
> If authoritative answers over tcp with any data, resolver dns can
> answer to victim with udp.
No, it seems you haven't understood how a resolver works. Suppose a
signed zone's apex has SOA, A, AAAA, TXT, DNSKEY, MX and NS records,
along with RRSIG records for all these.
Now suppose a resolver queries for these records individually, one at a
time, and caches them all.
Finally, suppose a client queries this resolver with an ANY for this
zone's apex. The resolver will return *all* those cached records to the
Whether a resolver gets all these records from the authoritative server
with a single ANY query, or by querying for the records individually,
its response to a downstream client's ANY query will be the same. I can
tell you with certainty that at least BIND behaves this way, because I
have experimented and observed.
Before you reply to this thread to tell me I'm wrong, please set up a
resolver or two, and test this yourself to understand it :)
More information about the nsd-users