[dns-operations] TC=1 with RA=0 from a recursive resolver
Damian Menscher
damian at google.com
Fri Mar 18 21:39:01 UTC 2016
On Fri, Mar 18, 2016 at 1:25 PM, bert hubert <bert.hubert at powerdns.com>
wrote:
> On Fri, Mar 18, 2016 at 08:20:04PM +0100, Florian Weimer wrote:
> > We have received a bug report that our stub resolver does not retry over
> > TCP when asked to do so by some Google DNS resolvers:
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=1319296
> >
> > The reason is that we check for RA=0 first and treat the server as
> > unusable if the bit is cleared. Only after that, we check the TC bit.
>
> We ran into this glibc behaviour with dnsdist too and we adjusted. We did
> not think it right to make this 'your' problem. Even if glibc adjusts, it
> does nothing for users now or over the next year. So we now set RA=RD for
> TC=1 responses, so things work
>
> I would recommend that Google do the same since waiting for updated glibc
> to
> propagate is just too slow.
>
Yup, we'll change this. Thanks for the report and clear explanation of the
problem and fix.
Damian
On a philosophical note, the glibc position is defensible but since both
> Google DNS and dnsdist made the mistake of setting RA=RD *after* judging if
> the question merited a TC=0 response or not means it may be better to be
> 'liberal in what you accept'. Others might make the same mistake.
>
> The device/software that does the TC intervention is possibly not even in a
> position to *know* the proper valua of the RA bit without sending on the
> actual question, which does not help in reducing the load under DoS.
>
> Bert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160318/13b4487b/attachment.html>
More information about the dns-operations
mailing list