18 Zář
2024
18 Zář
'24
15:22
On 18. 09. 24 15:15, Vladimír Čunát via knot-resolver-users wrote:
I'm not sure. The design choice at that point was
to avoid modifying
any record sets and instead just "fail safely". Though maybe the main
reason was that it was simpler to implement in our case if it should
include avoiding this case of referrals to local IPs.
Either way, those delegations do seem in disarray. dig + trace also
complains with lines like
;; BAD (HORIZONTAL) REFERRAL
;; communications error to 10.52.192.140#53: network unreachable
--
Unfortunatelly it leads to a massive traffic amplification with real
clients. Because of RCODE 5 they keeps retrying... I had to disable
rebinding protection completely in order to make the network stable.
Refusing them is not a good idea if you have a large deployment.