wouter at nlnetlabs.nl
Fri Nov 20 11:34:30 CET 2015
-----BEGIN PGP SIGNED MESSAGE-----
On 11/20/2015 10:11 AM, W.C.A. Wijngaards via Unbound-users wrote:
> Hi Ian,
> On 11/19/2015 09:47 PM, Ian Cohee via Unbound-users wrote:
>> Hello all,
>> One of our engineers discovered some interesting behavior while
>> testing bad EDNS RRs in Unbound. He discovered that Unbound
>> properly checks and identifies a truncated OPT RR as a FORMERR,
>> but then returns the truncated OPT RR, resulting in a malformed
>> response to a malformed request. I have attached a PCAP file
>> that should contain the malformed requests/responses.
> There is a fix now, unbound will remove the EDNS section from that
> This may cause the sender to think the server does not support
> EDNS and then drop EDNS from its queries - and that is exactly
> right because its EDNS contents cannot be parsed.
And fixed to reply with a valid EDNS record without options in it in
the FORMERR message. This is for RFC compliance, as Yuri points out.
Best regards, Wouter
> Best regards, Wouter
>> Has anyone observed this behavior, and if so, had issues from
>> I'd also like to hear some opinions about this behavior.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
More information about the Unbound-users