Finer control over REFUSED, e.g. root referrals
Michael Richardson
mcr at sandelman.ca
Mon Sep 8 14:27:12 UTC 2025
Ondřej Surý <ondrej at isc.org> wrote:
> I can definitely say this is not going to be implemented and nobody should.
> Not returning answer is a protocol violation that can lead to DNS
> spoofing window being much larger.
Surely I'm allowed to *not* run a DNS server on an IP address, and dropping
replies surely fits into that space :-)
> There are also servers like BIND 9
> that maintain a state per server/IP address and an attacker can point
> her domain name to your server and use this to manipulate the remote
> server state by asking for such name at the victim resolver.
Yes, that's an interesting concern.
It might be worth the risk.
It seems like the OP should run their selective recursion on a different IP
address than their authoritative.
Then they can have views and do different things. IPv6 makes this trivial.
IPv4 scarcity might make this harder.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] mcr at sandelman.ca http://www.sandelman.ca/ | ruby on rails [
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 511 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250908/1c03b4d5/attachment.sig>
More information about the bind-users
mailing list