refuse ANY queries
wouter at nlnetlabs.nl
Fri Aug 25 11:04:08 UTC 2017
It is enabled by default, and implemented in Unbound 1.5.4. These are
the changelog entries from the download page:
- ANY responses include DNAME records if present, as per Evan Hunt's
remark in dnsop.
Unbound 1.5.4 (9 july 2015)
- Synthesize ANY responses from cache. Does not search exhaustively, but
MX,A,AAAA,SOA,NS also CNAME.
Best regards, Wouter
On 25/08/17 12:57, Petr Špaček via Unbound-users wrote:
> On 25.8.2017 11:47, W.C.A. Wijngaards via Unbound-users wrote:
>> Hi Petr,
>> Unbound already implements that draft. Method 4.1, select one (actually
>> a couple) RRsets. It picks them from cache if they are available there
>> (eg. A record or SOA record) and if no records are in cache, it'll make
>> a query.
> Oh, nice! Is it released already?
> I'm not able to find string "refuse-any" either in
> or in SVN log.
> Curious question: How are these RRsets selected?
> For example domain cpsc.gov. which is often used for attacks using our
> resolver can produce rather large answers for QTYPE, so returning more
> than one QTYPE might not cut the size down as we would wish.
> Petr Špaček @ CZ.NIC
>> There may be tricks with local-zones or local-data or python scripting
>> or views.
>> Best regards, Wouter
>> On 25/08/17 11:42, Petr Špaček via Unbound-users wrote:
>>> is it possible to use some trick to configure Unbound to refuse ANY queries?
>>> It would be helpful for (intentionally) open recursors before
>>> https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any is implemented.
>>> Thank you for your time.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the Unbound-users