NSD and RFC 8482 (ANY queries)

Stephane_Bortzmeyer · December 19, 2018, 3:37pm

Internet Draft draft-ietf-dnsop-refuse-any-07, soon RFC 8482, claims
that "An implementation of the subset-mode response to ANY queries was
implemented in NSD 4.1 in 2016." It is not clear to me how it is
implemented. I see in the code:

  if(q->qtype == TYPE_ANY && nsd->options->refuse_any && !q->tcp) {
    TC_SET(q->packet);
    return query_error(q, NSD_RC_OK);
  }

and in the documentation:

.B refuse\-any:\fR <yes or no>
Refuse queries of type ANY. This is useful to stop query floods trying
to get large responses. Note that rrl ratelimiting also has type ANY as
a ratelimiting type. It sends truncation in response to UDP type ANY queries,
and it allows TCP type ANY queries like normal.
The default is no.

Code and documentation seem to agree. But sending TC is not one of the
three possibilities accepted by the RFC when you don't like ANY (the
future RFC says the opposite: "the TC bit SHOULD NOT be set on the
response"). Am I right in this assesment? Is there a plan to adapt NSD
to the RFC?

hdais · December 19, 2018, 3:51pm

Hi,

I posted a (very simple) patch implementing draft-00 spec (answers subset of available RRsets) to nsd-users maling list in 2016. But it was not included to mainline.

https://open.nlnetlabs.nl/pipermail/nsd-users/2016-February/002234.html

I don’t know whether “NSD implementation” noted in draft-07 correnponds to my patch.

Stephane Bortzmeyer <bortzmeyer@nic.fr>:

Wouter · January 24, 2019, 1:54pm

Hi,

The deny-any was implemented because users asked for that. The patch is
very good and I have incorporated it, enabled by default. Do you think
the the deny-any option can be removed or have that control this behaviour?

Best regards, Wouter

hdais · January 26, 2019, 8:19am

Hi, Wouter

Thank you for applying patch.

For simplicity refuse-any option in NSD should be removed for future.
Only concern is that users specifying refuse-any option in their nsd.conf
will be surprised that they can’t start nameserver after upgrading NSD…

Regards,
Daisuke Higashi

Wouter Wijngaards <wouter@nlnetlabs.nl>:

A_Schulze · January 26, 2019, 2:03pm

before I loose overview:

deny-any mean the configuration option "refuse-any" available since nsd-4.1.21
which currently set the TC bit on UDP and return all RR on TCP.

with Daisuke's patch NSD would answer to ANY queries with a subset of available RRsets.
-> only on UDP? or no matter which transport?
-> a fixed subset or a random subset?

Andreas

PaulWouters · January 26, 2019, 4:16pm

You cannot remove it. It has been enabled already in some distro’s. I for one assumed it implemented the Olafur’s RFC.

I would change the meaning to be that. Wether or not to perform RFC 8482 denial of ANY.

Paul

hdais · January 27, 2019, 4:51am

A. Schulze <sca@andreasschulze.de>:

with Daisuke’s patch NSD would answer to ANY queries with a subset of available RRsets.
→ only on UDP? or no matter which transport?
→ a fixed subset or a random subset?

on current trunk version:

Returns always RFC 8482 4.1 style (one RRset plus RRSIG) response for both UDP and TCP.
Only first RRset seen in zone file is used for generating RFC 8482 response.
(This is my observation. It picks first element of “rrset” linked list but I don’t know exactly how this linked list is created/edited)
→ see https://gist.github.com/hdais/25cb3fc86335026d40f0#gistcomment-1692779
refuse-any option still works. This option is NOT for enabling/disabling RFC8482, but for ANY-to-TCP (If UDP ANY query received and this option is yes, NSD returns TC=1 empty response to direct requester to switch TCP).

Regards,
Daisuke Higashi