[dns-operations] lowercasing of questions from recursor to auths?

Ralf Weber dns at fl1ger.de
Mon Feb 8 15:11:38 UTC 2016


On 5 Feb 2016, at 17:15, Peter van Dijk wrote:
> we recently got a request from a user to lowercase questions sent from 
> the
> PowerDNS Recursor to auths on the Internet, even if the question the 
> Recursor
> got from the client was in mixed case. My initial thought was “why 
> don’t we do
> that already - after all, once cached there are no case guarantees 
> anyway”.
Yes usually the cache entries are stored in a consistent case and the 
lookup is case insensitive and the requestor is given back the casing in 
the query.

> So I did some digging and investigation - all of PowerDNS, BIND and 
> Unbound
> preserve case on the initial question to the auth (i.e. the uncached 
> case).
> Unbound with 0x20 enabled, of course, does not preserve case.
Add Nominum Vantio Cacheserve here. We do the same.

> Now, experience with unbound’s 0x20 implementation shows, as I 
> recall it, that
> it breaks some auths (no surprise there) but I have not heard anything 
> about
> it breaking client applications (although one imagines that some DNS
> tunnelling software might be affected).
Don't think so. A lot of tunnelling software seems to do Base32 encoding 
of the name to transfer data. 0x20 only is operationally deployable when 
you have exclusion lists for domains that don't work with it.

> My concrete question: can you imagine operational downsides to 
> lowercasing all
> questions sent to auths? Because I don’t see it, but we’ve gone 15 
> years
> (longer for other implementations) preserving case so I need to be 
> careful.
Lets phrase it the other way. Why do you want to change a behaviour that 
has work very well for all major implementations over the last couple of 
decades? Operationally you should not change something unless it's 
broken which this behaviour clearly not is.

> (In case the question comes up, this discussion is triggered by 
> widget.criteo.com
> returning several IPs instead of just one when asked in 
> non-lowercase.)
It looks like all of the 7 IPs returned are actually servers for this 
domain, but serve different regions as I get different ones back 
depending from where in the world I ask. So the content will be 
delivered just not as good as it could I suppose. Maybe write them an 
email about that as it looks like an oversight, unintended feature of 
their code.

SO long

More information about the dns-operations mailing list