1. DNS/返答/minimal-responses
- DNS/毒盛/AncillaryDataAttacks
- DNS/毒盛/AncillaryDataAttacks/1.1.1.1
- DNS/毒盛/AncillaryDataAttacks/1.1.1.1/glocalism.jp
- DNS/毒盛/AncillaryDataAttacks/1.1.1.1/攻撃例
- DNS/毒盛/AncillaryDataAttacks/BIND脆弱性
- DNS/毒盛/AncillaryDataAttacks/MX付随毒
- DNS/毒盛/AncillaryDataAttacks/NS付随毒
- DNS/毒盛/AncillaryDataAttacks/cc.u-tokyo.ac.jp
- DNS/毒盛/AncillaryDataAttacks/sibling_domain_glue毒
- DNS/毒盛/AncillaryDataAttacks/titech.ac.jp
/isc.org /JPドメイン /返答例 ccTLD/cz/minimal-responses
minimal-responsesはresponse sizeを小さくする。
が、問い合わせの回数を増やす
- そのtrade offだけだというのが、開発者のコメントだ。それだけではない。
余分な返答を受け入れることは毒盛の危険性を増やすのだ。-- ToshinoriMaeno 2018-03-24 12:33:34
minimal-responsesですら無駄なAdditionalが付いていることが分った。-- ToshinoriMaeno 2018-03-31 23:30:17
- ISCのひとはsibling glueと呼んでいるが、glueを誤解しているのだろう。
2. 返答例
3. BIND option
随分前からoptionで存在しているが、defaultはnoである。 DNS/BIND/minimal-responses
9.12からdefaultはあたらしいno-auth-recursiveになるが、動作はほとんど変化しない。
- yesに設定することを勧める。
-- ToshinoriMaeno 2018-03-20 03:16:06
4. Knot DNS action
https://lists.nic.cz/pipermail/knot-dns-users/2015-September/000700.html Knot DNS 2.0.1 patch release
- We have decided to remove NS record from the Authority section for NOERROR responses. We used to put these records there because BIND and NSD did it. But these records are not required by any RFC and just increase the size of the response.
https://lists.nic.cz/pipermail/knot-dns-users/2015-September/000704.html
https://lists.nic.cz/pipermail/knot-dns-users/2015-September/000703.html
Jan Včelák wrote: > Robert Edmonds wrote: >> I can certainly see how apex NS records in the authority section is not >> particularly useful for root or TLD servers, but it's occasionally >> useful for "leaf" zones to speed up the propagation of updated NS >> records, due to the trust ranking rules in RFC 2181 §5.4.1. > > I haven't thought about this. This might be indeed useful. On the other > hand, why NS and not any other RR type? I think this is really single > purposed and I'm not convinced (at the moment) that this is worthy of > adding an option.
https://lists.nic.cz/pipermail/knot-dns-users/2015-September/000710.html
5. Unbound option
minimal-responses: <yes or no> If yes, Unbound doesn't insert authority/additional sections into response messages when those sections are not required. This reduces response size significantly, and may avoid TCP fallback for some responses. This may cause a slight speedup. The default is no, because the DNS protocol RFCs mandate these sections, and the additional content could be of use and save roundtrips for clients.
RFCの解釈が間違っていると思う。(cz, Knot DNSの見解と比較してみよ。)
- 毒盛の危険は考えないらしい。(DNSSECを使えということか)
Unboundはリゾルバーなので、stubリゾルバー相手の話であるので、大した問題ではないか。 -- ToshinoriMaeno 2018-03-20 03:21:41
6. Infoblox
Specifying Minimal Responses https://docs.infoblox.com/display/NAG8/Specifying+Minimal+Responses