Maintained by: NLnet Labs

refuse ANY queries

Petr Špaček
Fri Aug 25 12:57:45 CEST 2017


On 25.8.2017 11:47, W.C.A. Wijngaards via Unbound-users wrote:
> Hi Petr,
> 
> Unbound already implements that draft.  Method 4.1, select one (actually
> a couple) RRsets.  It picks them from cache if they are available there
> (eg. A record or SOA record) and if no records are in cache, it'll make
> a query.

Oh, nice! Is it released already?

I'm not able to find string "refuse-any" either in
http://unbound.nlnetlabs.nl/svn/trunk/doc/Changelog
or in SVN log.


Curious question: How are these RRsets selected?
For example domain cpsc.gov. which is often used for attacks using our
resolver can produce rather large answers for QTYPE, so returning more
than one QTYPE might not cut the size down as we would wish.

Petr Špaček  @  CZ.NIC


> 
> There may be tricks with local-zones or local-data or python scripting
> or views.
> 
> Best regards, Wouter
> 
> On 25/08/17 11:42, Petr Špaček via Unbound-users wrote:
>> Hello,
>>
>> is it possible to use some trick to configure Unbound to refuse ANY queries?
>>
>> It would be helpful for (intentionally) open recursors before
>> https://tools.ietf.org/html/draft-ietf-dnsop-refuse-any is implemented.
>>
>> Thank you for your time.