Enable minimal ANY answers by default

ANY queries are widely abused by attackers doing reflection attacks as
they return the largest answers.  Enable minimal ANY answers by default
to reduce the attack surface of the DNS servers.

diff --git a/bin/include/defaultconfig.h b/bin/include/defaultconfig.h
index fb1ede220cc9b1ab3b38df8e6ab2cb1a888a2bfb..c92aeaea054d01c06158c81a2611af4c2a4ce1ed 100644 (file)
--- a/bin/include/defaultconfig.h
+++ b/bin/include/defaultconfig.h
@@ -154,7 +154,7 @@ options {\n\
        message-compression yes;\n\
        min-ncache-ttl 0; /* 0 hours */\n\
        min-cache-ttl 0; /* 0 seconds */\n\
-       minimal-any false;\n\
+       minimal-any yes;\n\
        minimal-responses no-auth-recursive;\n\
        notify-source *;\n\
        notify-source-v6 *;\n\

diff --git a/bin/tests/system/digdelv/ns2/named.conf.j2 b/bin/tests/system/digdelv/ns2/named.conf.j2
index 47b0449ffb35b8b3d099fdc6d3fe103606f7f0fd..07a6228ac172033e756cf788927268cdef23b6c8 100644 (file)
--- a/bin/tests/system/digdelv/ns2/named.conf.j2
+++ b/bin/tests/system/digdelv/ns2/named.conf.j2
@@ -21,6 +21,7 @@ options {
        listen-on-v6 { fd92:7065:b8e:ffff::2; };
        recursion no;
        dnssec-validation no;
+       minimal-any no;
 };
 
 zone "." {

diff --git a/bin/tests/system/digdelv/ns3/named.conf.j2 b/bin/tests/system/digdelv/ns3/named.conf.j2
index 90a3fa30669633f2ba98c0b4d50b5f1adc8a2a23..4105ada269c519e2b4e85a0458ef42f1912f5c8c 100644 (file)
--- a/bin/tests/system/digdelv/ns3/named.conf.j2
+++ b/bin/tests/system/digdelv/ns3/named.conf.j2
@@ -20,6 +20,7 @@ options {
        recursion yes;
        dnssec-validation no;
        server-id "ns3";
+       minimal-any no;
 };
 
 zone "." {

diff --git a/bin/tests/system/dnssec/ns1/named.conf.j2 b/bin/tests/system/dnssec/ns1/named.conf.j2
index bd1ccc408101d46687bdc52e8d807beba9640910..f78cc0acd6669c74b216beaf251d4dc180d72d97 100644 (file)
--- a/bin/tests/system/dnssec/ns1/named.conf.j2
+++ b/bin/tests/system/dnssec/ns1/named.conf.j2
@@ -21,6 +21,8 @@ options {
        pid-file "named.pid";
        listen-on { 10.53.0.1; };
        listen-on-v6 { none; };
+       minimal-any no;
+       minimal-responses no;
        recursion no;
        notify yes;
        dnssec-validation yes;

diff --git a/bin/tests/system/dnssec/ns2/named.conf.j2 b/bin/tests/system/dnssec/ns2/named.conf.j2
index 8507c768f0b99e717b48ceb078fd86f46330f821..7594ba276fd1185210d1488af38754522b310f29 100644 (file)
--- a/bin/tests/system/dnssec/ns2/named.conf.j2
+++ b/bin/tests/system/dnssec/ns2/named.conf.j2
@@ -22,11 +22,12 @@ options {
        listen-on { 10.53.0.2; };
        listen-on-v6 { none; };
        allow-transfer { any; };
+       minimal-any no;
+       minimal-responses no;
        recursion no;
        notify yes;
        dnssec-validation yes;
        notify-delay 1;
-       minimal-responses no;
 };
 
 key rndc_key {

diff --git a/bin/tests/system/dnssec/ns3/named.conf.j2 b/bin/tests/system/dnssec/ns3/named.conf.j2
index 9cbc58892c844c4c9b0bc4673b5d67088c78848d..286a3f589ab306c445f1cc072992fb30c7911b09 100644 (file)
--- a/bin/tests/system/dnssec/ns3/named.conf.j2
+++ b/bin/tests/system/dnssec/ns3/named.conf.j2
@@ -24,11 +24,12 @@ options {
        listen-on { 10.53.0.3; };
        listen-on-v6 { none; };
        allow-transfer { any; };
+       minimal-any no;
+       minimal-responses no;
        recursion no;
        notify yes;
        dnssec-validation yes;
        session-keyfile "session.key";
-       minimal-responses no;
 };
 
 key rndc_key {

diff --git a/bin/tests/system/dnssec/ns4/named.conf.j2 b/bin/tests/system/dnssec/ns4/named.conf.j2
index b4aa86146a5cb882b78da3dd6d60184209f78539..91e2e7d953fb9cf3ef3195290208f561471ab9e0 100644 (file)
--- a/bin/tests/system/dnssec/ns4/named.conf.j2
+++ b/bin/tests/system/dnssec/ns4/named.conf.j2
@@ -26,8 +26,9 @@ options {
        pid-file "named.pid";
        listen-on { 10.53.0.4; };
        listen-on-v6 { none; };
-       recursion yes;
+       minimal-any no;
        minimal-responses no;
+       recursion yes;
 
        {% if accept_expired %}
                dnssec-accept-expired yes;

diff --git a/bin/tests/system/dnssec/ns5/named.conf.j2 b/bin/tests/system/dnssec/ns5/named.conf.j2
index a0332d9d6fff0c34171487994cbce6d10bdc042c..5429d021fa17a3b49cddf5a62daaae9488edb033 100644 (file)
--- a/bin/tests/system/dnssec/ns5/named.conf.j2
+++ b/bin/tests/system/dnssec/ns5/named.conf.j2
@@ -24,6 +24,7 @@ options {
        pid-file "named.pid";
        listen-on { 10.53.0.5; 127.0.0.1; };
        listen-on-v6 { none; };
+       minimal-any no;
        recursion yes;
        minimal-responses no;
        servfail-ttl 0;

diff --git a/bin/tests/system/dnssec/ns6/named.conf.j2 b/bin/tests/system/dnssec/ns6/named.conf.j2
index c3c0da6e44e1bcc9368483daee9f403a023b69a5..2fb2cf54131d8cc0ac4fbc5f738c6e3c0b4dcce0 100644 (file)
--- a/bin/tests/system/dnssec/ns6/named.conf.j2
+++ b/bin/tests/system/dnssec/ns6/named.conf.j2
@@ -21,6 +21,7 @@ options {
        pid-file "named.pid";
        listen-on { 10.53.0.6; };
        listen-on-v6 { none; };
+       minimal-any no;
        recursion yes;
        notify yes;
        disable-algorithms . { @ALTERNATIVE_ALGORITHM@; };

diff --git a/bin/tests/system/dnssec/ns9/named.conf.j2 b/bin/tests/system/dnssec/ns9/named.conf.j2
index 2a335b5a9ff64e3c4ca10907d70c5f5d159f8114..c69135f92d1b34087ee67ea7bd90de0d162e12f5 100644 (file)
--- a/bin/tests/system/dnssec/ns9/named.conf.j2
+++ b/bin/tests/system/dnssec/ns9/named.conf.j2
@@ -23,6 +23,7 @@ options {
        pid-file "named.pid";
        listen-on { 10.53.0.9; };
        listen-on-v6 { none; };
+       minimal-any no;
        recursion yes;
        dnssec-validation yes;
        forward only;

diff --git a/bin/tests/system/resolver/ns1/named.conf.j2 b/bin/tests/system/resolver/ns1/named.conf.j2
index 2bb2ce1f86b219e78b9f4aa11e7a9ecadea6628e..26a8ce72f64b013b224bf6c3756267d9f14bbb4d 100644 (file)
--- a/bin/tests/system/resolver/ns1/named.conf.j2
+++ b/bin/tests/system/resolver/ns1/named.conf.j2
@@ -32,6 +32,7 @@ options {
        attach-cache "globalcache";
        max-recursion-queries 100;
        request-zoneversion yes;
+       minimal-any no;
 };
 
 

diff --git a/bin/tests/system/resolver/ns11/named.conf.j2 b/bin/tests/system/resolver/ns11/named.conf.j2
index 14ed048629ac8d35d3df4cd04018d834b37422f3..b6dba3be70fb5d0819c92205006daef667f0f6a4 100644 (file)
--- a/bin/tests/system/resolver/ns11/named.conf.j2
+++ b/bin/tests/system/resolver/ns11/named.conf.j2
@@ -21,4 +21,5 @@ options {
        listen-on-v6 { none; };
        recursion no;
        dnssec-validation no;
+       minimal-any no;
 };

diff --git a/bin/tests/system/resolver/ns4/named.conf.j2 b/bin/tests/system/resolver/ns4/named.conf.j2
index 67cbee8870315ddbcffa3cb3b77e149a0633740c..38b24d64c5b91ac92b76ff3f58dc36a64aaebfbe 100644 (file)
--- a/bin/tests/system/resolver/ns4/named.conf.j2
+++ b/bin/tests/system/resolver/ns4/named.conf.j2
@@ -23,6 +23,7 @@ options {
        listen-on-v6 { none; };
        recursion no;
        dnssec-validation no;
+       minimal-any no;
 };
 
 zone "." {

diff --git a/bin/tests/system/resolver/ns5/named.conf.j2 b/bin/tests/system/resolver/ns5/named.conf.j2
index 21c5fe87357eabded1b358bef133e57eff023d18..47fa54dc2f1e63229018a9188268c19c22a9dbd5 100644 (file)
--- a/bin/tests/system/resolver/ns5/named.conf.j2
+++ b/bin/tests/system/resolver/ns5/named.conf.j2
@@ -28,6 +28,7 @@ options {
        responselog yes;
        request-nsid yes;
        request-zoneversion yes;
+       minimal-any no;
 };
 
 // Don't break tests which depend on ans10 by requesting

diff --git a/bin/tests/system/resolver/ns6/named.conf.j2 b/bin/tests/system/resolver/ns6/named.conf.j2
index 34552af1b7d10a5c377cead037f214f5de53cf28..19c2da958712533fbaa016d30fa1fd0f16cfdd97 100644 (file)
--- a/bin/tests/system/resolver/ns6/named.conf.j2
+++ b/bin/tests/system/resolver/ns6/named.conf.j2
@@ -27,6 +27,7 @@ options {
        statistics-file "named.stats";
        max-udp-size 4096;
        responselog no;
+       minimal-any no;
 };
 
 zone "." {

diff --git a/bin/tests/system/resolver/ns7/named.conf.j2 b/bin/tests/system/resolver/ns7/named.conf.j2
index b9938520d644aba31092822659dd8c263fb183c6..9ae4fcfb9e084f5256219328fe21a345f653f5c3 100644 (file)
--- a/bin/tests/system/resolver/ns7/named.conf.j2
+++ b/bin/tests/system/resolver/ns7/named.conf.j2
@@ -32,6 +32,7 @@ options {
        prefetch 0;
        querylog yes;
        edns-udp-size 4096;
+       minimal-any no;
 };
 
 

diff --git a/bin/tests/system/resolver/ns9/named.conf.j2 b/bin/tests/system/resolver/ns9/named.conf.j2
index c1e79febec337c872583853f8650fdb2f139f94e..af61088eaf035278a89a373861b8787e82fbee10 100644 (file)
--- a/bin/tests/system/resolver/ns9/named.conf.j2
+++ b/bin/tests/system/resolver/ns9/named.conf.j2
@@ -23,6 +23,7 @@ options {
        dnssec-validation no;
        dual-stack-servers { fd92:7065:b8e:ffff::7; };
        qname-minimization off;
+       minimal-any no;
 };
 
 

diff --git a/bin/tests/system/rpz/ns1/named.conf.j2 b/bin/tests/system/rpz/ns1/named.conf.j2
index e7af61d073764364917f826ac1d9e61b2255544a..55e5b607198587f3c34c5b2da89d001d325256da 100644 (file)
--- a/bin/tests/system/rpz/ns1/named.conf.j2
+++ b/bin/tests/system/rpz/ns1/named.conf.j2
@@ -22,6 +22,7 @@ options {
        listen-on-v6 { none; };
        allow-transfer { any; };
        notify no;
+       minimal-any no;
        minimal-responses no;
        dnssec-validation no;
 };

diff --git a/bin/tests/system/rpz/ns10/named.conf.j2 b/bin/tests/system/rpz/ns10/named.conf.j2
index 2cbb6ee838a9aceeadc76eda4132e8ecb8873118..89fe12fc3b252bfb3fd76161dad20624c85fe8d3 100644 (file)
--- a/bin/tests/system/rpz/ns10/named.conf.j2
+++ b/bin/tests/system/rpz/ns10/named.conf.j2
@@ -22,6 +22,7 @@ options {
        listen-on-v6 { none; };
        allow-transfer { any; };
        notify no;
+       minimal-any no;
        minimal-responses no;
        recursion yes;
        dnssec-validation yes;

diff --git a/bin/tests/system/rpz/ns2/named.conf.j2 b/bin/tests/system/rpz/ns2/named.conf.j2
index 617edd9e9d2735099be743fd09549c56d3858202..633d2f437b258c12ef36348d37806fd27705e041 100644 (file)
--- a/bin/tests/system/rpz/ns2/named.conf.j2
+++ b/bin/tests/system/rpz/ns2/named.conf.j2
@@ -22,6 +22,7 @@ options {
        listen-on-v6 { none; };
        allow-transfer { any; };
        notify no;
+       minimal-any no;
        minimal-responses no;
        recursion yes;
        dnssec-validation yes;

diff --git a/bin/tests/system/rpz/ns3/named.conf.j2 b/bin/tests/system/rpz/ns3/named.conf.j2
index 2f8879b081e6fbaa449bfdec49dc5a18fc02452b..3e8bce35edfdc3d4f51c49550e8d36281cf20cb9 100644 (file)
--- a/bin/tests/system/rpz/ns3/named.conf.j2
+++ b/bin/tests/system/rpz/ns3/named.conf.j2
@@ -29,6 +29,7 @@ options {
        listen-on-v6 { none; };
        allow-transfer { any; };
        notify yes;
+       minimal-any no;
        minimal-responses no;
        recursion yes;
        dnssec-validation no;

diff --git a/bin/tests/system/rpz/ns4/named.conf.j2 b/bin/tests/system/rpz/ns4/named.conf.j2
index a5ef523ced3f27ff6f95d190cf30220225e9d477..0f37c97db411144a8943f0c81b75d27c3323abfb 100644 (file)
--- a/bin/tests/system/rpz/ns4/named.conf.j2
+++ b/bin/tests/system/rpz/ns4/named.conf.j2
@@ -22,6 +22,7 @@ options {
        listen-on-v6 { none; };
        allow-transfer { any; };
        notify no;
+       minimal-any no;
        minimal-responses no;
        recursion yes;
        dnssec-validation yes;

diff --git a/bin/tests/system/rpz/ns5/named.conf.j2 b/bin/tests/system/rpz/ns5/named.conf.j2
index e1a727f0df803e2e27290fa107c6939e273528e4..441da7e156c2c5e7a4c5534e1d4afe7e453ccf61 100644 (file)
--- a/bin/tests/system/rpz/ns5/named.conf.j2
+++ b/bin/tests/system/rpz/ns5/named.conf.j2
@@ -29,6 +29,7 @@ options {
        ixfr-from-differences yes;
        notify-delay 0;
        notify yes;
+       minimal-any no;
        minimal-responses no;
        recursion yes;
        dnssec-validation yes;

diff --git a/bin/tests/system/rpz/ns6/named.conf.j2 b/bin/tests/system/rpz/ns6/named.conf.j2
index 01497b205889ef19e11ae561442addef84611798..29fa84820d4d53143a5df2cd073ee4cb0eb61ac6 100644 (file)
--- a/bin/tests/system/rpz/ns6/named.conf.j2
+++ b/bin/tests/system/rpz/ns6/named.conf.j2
@@ -24,6 +24,7 @@ options {
        allow-transfer { any; };
        forward only;
        forwarders { 10.53.0.3; };
+       minimal-any no;
        minimal-responses no;
        recursion yes;
        dnssec-validation yes;

diff --git a/bin/tests/system/rpz/ns7/named.conf.j2 b/bin/tests/system/rpz/ns7/named.conf.j2
index b648abd14556241160a06283544e6a4ec1b7da37..f48edead00cb20701a5c6b1bb829e580397efd34 100644 (file)
--- a/bin/tests/system/rpz/ns7/named.conf.j2
+++ b/bin/tests/system/rpz/ns7/named.conf.j2
@@ -22,6 +22,7 @@ options {
        listen-on { 10.53.0.7; };
        listen-on-v6 { none; };
        allow-transfer { any; };
+       minimal-any no;
        minimal-responses no;
        recursion yes;
        dnssec-validation yes;

diff --git a/bin/tests/system/rpz/ns8/named.conf.j2 b/bin/tests/system/rpz/ns8/named.conf.j2
index ef6bc3f795c7004d929244909840c22ea0eeac57..574c84ab7002b4d58a284ecee8eecd8b15b7a2cf 100644 (file)
--- a/bin/tests/system/rpz/ns8/named.conf.j2
+++ b/bin/tests/system/rpz/ns8/named.conf.j2
@@ -27,6 +27,7 @@ options {
        listen-on-v6 { none; };
        allow-transfer { any; };
        notify yes;
+       minimal-any no;
        minimal-responses no;
        recursion yes;
        dnssec-validation no;

diff --git a/bin/tests/system/rpz/ns9/named.conf.j2 b/bin/tests/system/rpz/ns9/named.conf.j2
index b26129d1db01a0f1387c524fd9cf757a4ece7a25..0c747d45aab81a0ef07a126f5ad0f82a6d46f536 100644 (file)
--- a/bin/tests/system/rpz/ns9/named.conf.j2
+++ b/bin/tests/system/rpz/ns9/named.conf.j2
@@ -27,6 +27,7 @@ options {
        listen-on-v6 { none; };
        allow-transfer { any; };
        notify yes;
+       minimal-any no;
        minimal-responses no;
        recursion yes;
        dnssec-validation no;

diff --git a/bin/tests/system/rpzextra/ns2/named.conf.j2 b/bin/tests/system/rpzextra/ns2/named.conf.j2
index 6317563dc9921d961be7f27e94cc8c5f0671adf9..5ad99a4ad9f9d47e2bd7c891cb42e067f12c5d33 100644 (file)
--- a/bin/tests/system/rpzextra/ns2/named.conf.j2
+++ b/bin/tests/system/rpzextra/ns2/named.conf.j2
@@ -30,6 +30,7 @@ options {
        notify no;
        dnssec-validation no;
        allow-query { any; };
+       minimal-any no;
 };
 
 zone "allowed" {

diff --git a/bin/tests/system/rpzextra/ns3/named.conf.j2 b/bin/tests/system/rpzextra/ns3/named.conf.j2
index cd459bcda6529723b3184e84f968740a2869411c..ba477461006c03d169bc4ac4f93ba8300bf44ea9 100644 (file)
--- a/bin/tests/system/rpzextra/ns3/named.conf.j2
+++ b/bin/tests/system/rpzextra/ns3/named.conf.j2
@@ -30,6 +30,7 @@ options {
        notify no;
        dnssec-validation no;
        allow-query { any; };
+       minimal-any no;
        recursion yes;
        allow-recursion { any; };
        empty-zones-enable false;

diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index d9061215c5bada80fde01e3783a9106d0294e8dd..6e14b129590584a28222e58a6a9bac04afb1ec41 100644 (file)
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -2093,7 +2093,7 @@ Boolean Options
    necessarily the smallest available RRset.) Additionally,
    :any:`minimal-responses` is turned on for these queries, so no
    unnecessary records are added to the authority or additional
-   sections. The default is ``no``.
+   sections. The default is ``yes``.
 
 .. namedconf:statement:: notify
    :tags: transfer