[dns-operations] TC=1 with RA=0 from a recursive resolver
bert hubert
bert.hubert at powerdns.com
Fri Mar 18 20:25:13 UTC 2016
On Fri, Mar 18, 2016 at 08:20:04PM +0100, Florian Weimer wrote:
> We have received a bug report that our stub resolver does not retry over
> TCP when asked to do so by some Google DNS resolvers:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1319296
>
> The reason is that we check for RA=0 first and treat the server as
> unusable if the bit is cleared. Only after that, we check the TC bit.
We ran into this glibc behaviour with dnsdist too and we adjusted. We did
not think it right to make this 'your' problem. Even if glibc adjusts, it
does nothing for users now or over the next year. So we now set RA=RD for
TC=1 responses, so things work
I would recommend that Google do the same since waiting for updated glibc to
propagate is just too slow.
On a philosophical note, the glibc position is defensible but since both
Google DNS and dnsdist made the mistake of setting RA=RD *after* judging if
the question merited a TC=0 response or not means it may be better to be
'liberal in what you accept'. Others might make the same mistake.
The device/software that does the TC intervention is possibly not even in a
position to *know* the proper valua of the RA bit without sending on the
actual question, which does not help in reducing the load under DoS.
Bert
More information about the dns-operations
mailing list