refuse ANY queries

Fri Aug 25 11:04:08 UTC 2017

Hi Petr,

It is enabled by default, and implemented in Unbound 1.5.4.  These are
the changelog entries from the download page:

Unbound 1.5.6
- ANY responses include DNAME records if present, as per Evan Hunt's
  remark in dnsop.
Unbound 1.5.4 (9 july 2015)
- Synthesize ANY responses from cache. Does not search exhaustively, but
  MX,A,AAAA,SOA,NS also CNAME.

Best regards, Wouter

On 25/08/17 12:57, Petr Špaček via Unbound-users wrote:
> On 25.8.2017 11:47, W.C.A. Wijngaards via Unbound-users wrote:
>> Hi Petr,
>>
>> Unbound already implements that draft.  Method 4.1, select one (actually
>> a couple) RRsets.  It picks them from cache if they are available there
>> (eg. A record or SOA record) and if no records are in cache, it'll make
>> a query.
> 
> Oh, nice! Is it released already?
> 
> I'm not able to find string "refuse-any" either in
> http://unbound.nlnetlabs.nl/svn/trunk/doc/Changelog
> or in SVN log.
> 
> 
> Curious question: How are these RRsets selected?
> For example domain cpsc.gov. which is often used for attacks using our
> resolver can produce rather large answers for QTYPE, so returning more
> than one QTYPE might not cut the size down as we would wish.
> 
> Petr Špaček  @  CZ.NIC
> 
> 
>>
>> There may be tricks with local-zones or local-data or python scripting
>> or views.
>>
>> Best regards, Wouter
>>
>> On 25/08/17 11:42, Petr Špaček via Unbound-users wrote:
>>> Hello,
>>>
>>> is it possible to use some trick to configure Unbound to refuse ANY queries?
>>>
>>> It would be helpful for (intentionally) open recursors before
>>> https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any is implemented.
>>>
>>> Thank you for your time.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20170825/a5d3d02e/attachment.bin>