refuse ANY queries

[Tony Finch]

A. Schulze <sca at andreasschulze.de> wrote:
>
> but 4.4 suggest also truncation and force tcp, right?

No, it just says implementations can return a full ANY response over TCP
if they want - it doesn't say anything about truncation.

> could a server send an answer without (or as less as possible data) and
> set the TC bit?

That would be a bad idea. The point of this draft is to make abusive ANY
queries go away with the smallest response possible, so you don't want to
encourage traffic to move to heavyweight TCP.

There are reflection attacks that abuse recursive servers - sometimes many
recursive servers symultaneously. These recursive servers will then
bombard the authoritative servers for the name that is being abused in the
attack. In this situation, if the authoritative server returns a truncated
response, it will have many recursive servers hammering on TCP instead of
UDP, which can easily lead to overload.

If the authoritative server just returns a small subset response, the
abused recursive servers will happily populate their cache with the small
response and they won't hammer the authoritative servers, and the
attackers will not get the amplification factor that they were expecting.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
German Bight, Humber, Thames, Dover, Wight, Portland: Variable mainly north 3
or 4, occasionally 5 at first. Mainly slight, but slight or moderate in north
German Bight. Showers, perhaps thundery at first. Good, occasionally moderate
at first.