[dns-operations] Very strange DNS bug at Hurricane Electric
Florian Weimer
fw at deneb.enyo.de
Mon Mar 21 21:49:54 UTC 2016
* Mark Andrews:
> In message <87vb4f92kg.fsf at mid.deneb.enyo.de>, Florian Weimer writes:
>> * Stephane Bortzmeyer:
>>
>> > The authoritative name servers do reply, but only empty responses:
>> >
>> > % dig @216.218.130.2 NS he.net
>> >
>> > ; <<>> DiG 9.10.2-P2 <<>> @216.218.130.2 NS he.net
>> > ; (1 server found)
>> > ;; global options: +cmd
>> > ;; Got answer:
>> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42388
>> > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>> > ;; WARNING: recursion requested but not available
>> >
>> > ;; OPT PSEUDOSECTION:
>> > ; EDNS: version: 0, flags: do; udp: 1680
>> > ;; QUESTION SECTION:
>> > ;he.net. IN NS
>> >
>> > ;; Query time: 162 msec
>> > ;; SERVER: 216.218.130.2#53(216.218.130.2)
>> > ;; WHEN: Mon Mar 21 17:23:29 CET 2016
>> > ;; MSG SIZE rcvd: 35
>>
>> This test is not valid for an authoritative server because you sent an
>> RD=1 query. The server appears to be subject to anycast, so maybe try
>> again with +norecurse +nsid?
>
> Absolute garbage. If you don't offer recursion then all answers
> should be generate as if the query had RD=0. Which is the case here
> as RA is zero. See RFC 1034.
But that's not how actual deployments work where a reverse proxy
distributes incoming queries based on the RD flag.
I don't know if HE does that, but it's certainly better to use
+norecurse to closely approximate what recursors are doing.
More information about the dns-operations
mailing list