Unbound generates header-only REFUSED responses
Frank Cusack
frank at windscribe.com
Tue Jul 9 18:28:47 UTC 2024
>From the bugzilla:
> This is tough situation
Well I'm not understanding what's tough. You have the ip:port as well.
Client txn ID should be random so within a small timeout this should be
easily and reliably matched?
I'm just a user not an unbound dev but IMO I wish the RFC (and its updates)
were more clear on this.
The only important aspect on response size (wrt best practice) is that the
response payload fits within a single UDP datagram. Since the question is
guaranteed to fit in 512 bytes, unbound is wrong here.
As a reference point, Windows Server stub resolver does the same thing --
ignores header-only responses. Windows Desktop however will match.
On Mon, Jul 8, 2024 at 6:52 AM Florian Weimer via Unbound-users <
unbound-users at lists.nlnetlabs.nl> wrote:
> It's been reported that glibc does not recognize REFUSED responses
> generated by Unbound with this configuration:
>
> server:
> interface: 0.0.0.0
> access-control: 0.0.0.0/0 refuse
>
> Our bug report is here:
>
> DNS stub resolver ignores header-only error responses
> <https://sourceware.org/bugzilla/show_bug.cgi?id=31890>
>
> I've got a fix, but it goes somewhat against what I think are current
> stub resolver practices: do not ignore the question section for response
> matching. Are my expectations just wrong? Is it more important for
> servers to produce smaller responses?
>
> Thanks,
> Florian
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20240709/027e82d7/attachment.htm>
More information about the Unbound-users
mailing list