This release introduces query type ANY refusal. NSD already has RRL
support that by default throttles queries, and also queries of type ANY.
But an nsd.conf option has been added, this makes NSD refuse queries of
type ANY.
The tcp-count can be higher. For more tcp service, use something like
tcp-count: 10000 or so. The fix is that tcp connections use (much) less
memory now, than in previous versions.
The memclean option is for memory checkers and code analyzers, without
the option, NSD lets the system remove memory pages with unused
resources on exit of a process, which is much faster.
This release introduces query type ANY refusal. NSD already has RRL
support that by default throttles queries, and also queries of type ANY.
But an nsd.conf option has been added, this makes NSD refuse queries of
type ANY.
compiled without warnings on Debian. Running on some lab systems now...
Implementers SHOULD provide configuration options to allow operators
to specify different behaviour over UDP and TCP.
I've no idea if refuse-any will break something in my networks.
But if one day something break, it would be nice to know
NSD could be configured to at lease allow ANY (old behaviour) on TCP.
I also prefer this, to refuse ANY queries over UDP, but allow them over TCP.
Actually, what Knot DNS does is to respond to ANY queries with an empty
answer and the TC bit set. The response is therefore just as small as a
REFUSED response. A genuine client will retry over TCP, and Knot answers
that. I personally prefer this to a REFUSED response.
This release introduces query type ANY refusal. NSD already has RRL
support that by default throttles queries, and also queries of type ANY.
But an nsd.conf option has been added, this makes NSD refuse queries of
type ANY.
The tcp-count can be higher. For more tcp service, use something like
tcp-count: 10000 or so. The fix is that tcp connections use (much) less
memory now, than in previous versions.
The memclean option is for memory checkers and code analyzers, without
the option, NSD lets the system remove memory pages with unused
resources on exit of a process, which is much faster.
Implementers SHOULD provide configuration options to allow operators
to specify different behaviour over UDP and TCP.
I've no idea if refuse-any will break something in my networks.
But if one day something break, it would be nice to know
NSD could be configured to at lease allow ANY (old behaviour) on TCP.
I also prefer this, to refuse ANY queries over UDP, but allow them over TCP.
Allright, I have implemented this for the next release. It replies
with a 12byte packet with the TC flag set to UDP queries of type ANY.
That makes the reply smaller than the query.
TCP queries of type ANY are not obstructed, and get a normal answer.