[rbldnsd] NotImpl when AA bit is set in request...
Amos Jeffries
amos at treenet.co.nz
Wed Aug 6 14:57:39 MSD 2008
askthelist at gmail.com wrote:
>
> On Tue, Aug 5, 2008 at 1:22 PM, Michael Tokarev <mjt at tls.msk.ru
> <mailto:mjt at tls.msk.ru>> wrote:
>
> askthelist at gmail.com <mailto:askthelist at gmail.com> wrote:
> > rbldnsd is returning "Not Implemented" in responses to requests in
> > which the DNS AA (Authoritative Answer) bit is set... This may seem
> > strange and an odd request, but Is there a way to configure
> rbldnsd to
> > ignore this bit in requests and respond to the query anyway? If
> there is
>
> Yes indeed this is strange, more than strange.
>
>
> Truth is stranger then fiction sometimes...
>
>
>
> This bit is used for ANSWERS (as it's authoritative ANSWER), it can't
> be set in queries. Just like some other bits, like RA (recursion
> available).
>
>
> According to the RFC1035 this should be illegal, yet our Microsoft DNS
> Servers with forwards to our local rbldnsd's began sending queries with
> this bit set recently, not sure if it has anything do do with the recent
> dns patches that were released, but... Heres a debug that shows the bit
> being set...
Hmm, sounds a bit to me like packets with those bits sets might be part
of one possible _attack_ against the flaw the recent DNS patches were
set to correct. Fooling a recursor into sending a reply with valid
entropy details.
AJ
More information about the rbldnsd
mailing list