Unbound any query handling

W.C.A. Wijngaards wouter at nlnetlabs.nl
Mon Nov 23 08:04:46 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

On 23/11/15 06:31, Steinar Haug via Unbound-users wrote:
>> I have a few recursive name servers running Debian. I have
>> recently upgraded the packages I was running from Jessie
>> (1.4.22-3) to testing (1.5.6-1). Since the upgrade I have noticed
>> when testing using dig on domains that not all records get
>> returned for an any query.
> 
> The usual interpretation of an ANY query is that a recursive name 
> server will return all the records *it has cached*, while an 
> authoritative name server will simply return *all records*. This 
> could be the reason for what you are seeing.

Also, this is an early interpretation of the draft
https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any-00 .

This is to limit dos attacks with qtype ANY, while being protocol
conformant (i.e. DNSSEC and mail programs).  It returns not all, but
some rrset entries, if those are in cache.

On the topic of dos attacks, your new version of unbound has
ratelimiting with the option ratelimit: 100 or something (ratelimits
new, uncached queries per zone ; but does not ratelimit prefetches).

Best regards, Wouter

> 
> Steinar Haug, Nethelp consulting, sthaug at nethelp.no
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIbBAEBCAAGBQJWUsieAAoJEJ9vHC1+BF+NiLoP+JY0T1UEaPrydnsVNSJWlv96
VQNTCNNUtfeBD+r+/0O3Dk0gQ5ToAhMoqYLqodCf763lu/jLGr1CHjh4c2/DAQVM
3JwQaodW4VfLXYOC7GLhGzqaAWoj+9DQkD1P0fmIXy4uDqESPr58m5zOPVwS4m/7
4vnZS1fEF9KcqFbVCC9xDUAsoLVNEo4UwnLleSxifbGhmhl1/qydfk5F238ByD9H
IfTi+VWNvTu9hTLyKjEt7qxrwRdJw5//4FPuor/HErfPtwJyapRc63WLuPPQE58Z
54jYY3r1T9EAeTIqfrc4vo1rfpgS3paggk3cuirwu1foIhLjsvZWw88HycJ1V5RQ
vN8fcwWHNWdmK7IE2hC1U5st8Gbe45lRVULoEaYAe9wyRereseIz9UzadUJvDEyw
sAHnrQhPQFED77ouSbiZfwPsgEnWAJF4i/fMTOU5EmUTRCqgjb9oPCmWKjeilUri
+awlvmq7gDLu5CpWzIqiUCbp0MBCQrZJlNbrQFLX/X+5qo5X4b6JdYcLmxKTNwD+
5pF82+f+dRNh4y5B00l/Jj2EwhroXZtSBGQf6R6m8tzN0KiUC1cEV+T67FVJfQ17
Wdqvp9rCGBelVaGWL0Uq/VcqmyniWPSpwHRY10QgVvYs8MQslp43iaR9R0DHD/cH
xdpni9p1CWGwOv/+iSc=
=qGx0
-----END PGP SIGNATURE-----

More information about the Unbound-users mailing list