* Mark Andrews: > The servers (or the firewalls in front of them) are not RFC 103[45] > compliant. DNS is a query/response protocol. If you don't get a > response the server is broken.
Running a UDP service which responds to unrecognizable packets is precisely what you should not do because it can result in never-ending packet loops. > If you can't parse the packet, > you *construct* a response which is just the DNS header with the > rcode set to FORMERR, the id set to that of the query and qr set > to 1, aa set to 0, aa set to 0, ad set to 0, rd copied, ra set as > appropriate (not that it really matters), cd copied if you support > DNSSEC otherwise set to 0, z set to 0. This isn't rocket science. > It is not hard to do this. Reflecting the packet in this way may have been compliant in the RFC 1034/1035 days, but it is explicitly outlawed by RFC 6891 section 7 (you cannot strip the OPT record as required if you cannot parse the packet). I pointed out prior to publication that EDNS0bis explicitly imposed a requirement on implementations which do not implement this specification, but this comment was sadly ignored. _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs