[dns-operations] lowercasing of questions from recursor to auths?
dns at fl1ger.de
Mon Feb 8 15:11:38 UTC 2016
On 5 Feb 2016, at 17:15, Peter van Dijk wrote:
> we recently got a request from a user to lowercase questions sent from
> PowerDNS Recursor to auths on the Internet, even if the question the
> got from the client was in mixed case. My initial thought was “why
> don’t we do
> that already - after all, once cached there are no case guarantees
Yes usually the cache entries are stored in a consistent case and the
lookup is case insensitive and the requestor is given back the casing in
> So I did some digging and investigation - all of PowerDNS, BIND and
> preserve case on the initial question to the auth (i.e. the uncached
> Unbound with 0x20 enabled, of course, does not preserve case.
Add Nominum Vantio Cacheserve here. We do the same.
> Now, experience with unbound’s 0x20 implementation shows, as I
> recall it, that
> it breaks some auths (no surprise there) but I have not heard anything
> it breaking client applications (although one imagines that some DNS
> tunnelling software might be affected).
Don't think so. A lot of tunnelling software seems to do Base32 encoding
of the name to transfer data. 0x20 only is operationally deployable when
you have exclusion lists for domains that don't work with it.
> My concrete question: can you imagine operational downsides to
> lowercasing all
> questions sent to auths? Because I don’t see it, but we’ve gone 15
> (longer for other implementations) preserving case so I need to be
Lets phrase it the other way. Why do you want to change a behaviour that
has work very well for all major implementations over the last couple of
decades? Operationally you should not change something unless it's
broken which this behaviour clearly not is.
> (In case the question comes up, this discussion is triggered by
> returning several IPs instead of just one when asked in
It looks like all of the 7 IPs returned are actually servers for this
domain, but serve different regions as I get different ones back
depending from where in the world I ask. So the content will be
delivered just not as good as it could I suppose. Maybe write them an
email about that as it looks like an oversight, unintended feature of
More information about the dns-operations