What is the Recursor's exact detection method and reaction in relation to the spoof-nearmiss-max config parameter?
Do internal counters for an outstanding query record - answers coming back from other authoritative (or ANY) servers than the one asked? - any mismatch (not just an "approximate" mismatch, as the "nearmiss" suggests) of the query-ID? Shouldn't the default for this parameter be "1" instead of "20"? How well does the Recursor aggregate/avoid duplicate queries for the same RR going out, to avoid a birthday attack? There is a "chain-resends" statistics variable (not documented in http://doc.powerdns.com/recursor-stats.html , along with several other variables found in rec_channel_rec.cc : what are case-mismatches , shunted-queries, noshunt-* , why is throttled-outqueries duplicating throttled-out ?) suggesting tracking of this. What does the Recursor actually do if the counter exceeds the configured limit? - abandon the query and return SERVFAIL to all clients? - abandon the query and return nothing to all clients? - wait X seconds and retry the outgoing query to the same NS? or to another NS for the zone? I am reading through http://www.ietf.org/internet-drafts/draft-ietf-dnsext-forgery-resilience-05.txt for some interesting ideas... _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
