[nsd-users] Unexpected responses to ANY queries over TCP

Paul Wouters paul at nohats.ca
Thu May 7 20:38:02 UTC 2020

Sent from my iPhone
> On May 7, 2020, at 16:27, Anand Buddhdev via nsd-users <nsd-users at lists.nlnetlabs.nl> wrote:
> On 07/05/2020 22:11, Tuomo Soini wrote:
> Hi Tuomo,
>> You missed the point.
>> If authoritative answers over tcp with any data, resolver dns can
>> answer to victim with udp.
> No, it seems you haven't understood how a resolver works. Suppose a signed zone's apex has SOA, A, AAAA, TXT, DNSKEY, MX and NS records, along with RRSIG records for all these.
> Now suppose a resolver queries for these records individually, one at a time, and caches them all.
> Finally, suppose a client queries this resolver with an ANY for this zone's apex. The resolver will return *all* those cached records to the client.
> Whether a resolver gets all these records from the authoritative server with a single ANY query, or by querying for the records individually, its response to a downstream client's ANY query will be the same. I can tell you with certainty that at least BIND behaves this way, because I have experimented and observed.

The two of you keep only bringing up one case, amplification with spoofed source, or open resolver used for amplification. Both are problems.

An authoritative server preventing ANY over TCP might be helping a little bit, but not much. That degree is where both of you disagree. There is an implicit requirement that doing ANY over TCP could be useful, for debugging, and should perhaps not be blocked.

> Before you reply to this thread to tell me I'm wrong, please set up a resolver or two, and test this yourself to understand it :)

This comment was unnecessary and impolite.


More information about the nsd-users mailing list