[Unbound-users] reddit.com issue
Dave Duchscher
daved at nostrum.com
Mon Aug 25 12:56:00 UTC 2014
On Aug 25, 2014, at 6:05 AM, Maciej Soltysiak <maciej at soltysiak.com> wrote:
> On Mon, Aug 25, 2014 at 9:16 AM, W.C.A. Wijngaards <wouter at nlnetlabs.nl> wrote:
>> Yes. The reddit servers (or likely, their load-balancers) are not
>> following the DNS specifications. They are dropping the query and
>> they should be replying. There was a draft at the IETF even to mark
>> this as harmful, but it did not progress through the standards track,
>> I believe. If they want to refuse the query for unclear reasons (what
>> is wrong with responding NXDOMAIN?) they could choose from nice error
>> codes like SERVFAIL and FORMERR and REFUSED.
> Yup. I have a domain that goes through cloudflare. I just asked
> cloudflare NSes for a name with a colon and it behaves the same (drop)
> When I asked the parents, they answered.
>
> Cloudflare seems to do the same thing for their customers.
>
> If not FORMERR, they could've at least send ICMP administratively
> prohibited to mark that this particular comms is not ok with them.
> That would've made unbound record a failure.
>
> It's silly because in order to immunize your cache against this you
> would have to start your own filtering... That shouldn't be the point.
Not a customer of Cloudflare but their help system allows outsiders to
submit so I have submitted a help request for this problem (172999).
Maybe this is a bug.
--
Dave
More information about the Unbound-users
mailing list