[dns-operations] to RD or not to RD, that is the question.

Alex Nicoll anicoll at cert.org
Mon Nov 25 16:15:23 UTC 2013

I find myself in a bit of a quandary, and so I thought I'd turn to the gurus here for some help.

I needed to do some basic DNSSEC testing on a domain, and began by grabbing a list of the authoritative name servers for the domain.  I then queried each name server for some basic records that I know exist (SOA, A records, etc) to get ensure the RRSIGs come back and can be validated.  On 7 of the 10 authoritative name server, I can query WITHOUT using the RD flag in the message header, and get the expected results.  On the other three, querying without the RD flag yields no records, but also no error.  When querying the three WITH the RD flag, I get the expected responses.  

As far as I can understand the RFCs, all authoritative name servers should have a local copy of the zone, which means that they should be able to answer the queries without recursion.  Is this a correct assumption?   If it isn't, then I need to modify my scan script, but if it is, can I assume that means the nameservers need to be fixed, or at least marked non-authoritative?



Vaporware:  A much discussed piece of software that doesn’t actually exist.
Cloud:  Condensed Vapor.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 474 bytes
Desc: not available
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20131125/3b815f44/attachment.sig>

More information about the dns-operations mailing list