[dns-operations] Very strange DNS bug at Hurricane Electric

Mon Mar 21 22:28:14 UTC 2016

In message <87a8lr8prx.fsf at mid.deneb.enyo.de>, Florian Weimer writes:
> * Mark Andrews:
> 
> > In message <87vb4f92kg.fsf at mid.deneb.enyo.de>, Florian Weimer writes:
> >> * Stephane Bortzmeyer:
> >>
> >> > The authoritative name servers do reply, but only empty responses:
> >> >
> >> > % dig @216.218.130.2             NS he.net
> >> >
> >> > ; <<>> DiG 9.10.2-P2 <<>> @216.218.130.2 NS he.net
> >> > ; (1 server found)
> >> > ;; global options: +cmd
> >> > ;; Got answer:
> >> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42388
> >> > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> >> > ;; WARNING: recursion requested but not available
> >> >
> >> > ;; OPT PSEUDOSECTION:
> >> > ; EDNS: version: 0, flags: do; udp: 1680
> >> > ;; QUESTION SECTION:
> >> > ;he.net.                        IN NS
> >> >
> >> > ;; Query time: 162 msec
> >> > ;; SERVER: 216.218.130.2#53(216.218.130.2)
> >> > ;; WHEN: Mon Mar 21 17:23:29 CET 2016
> >> > ;; MSG SIZE  rcvd: 35
> >>
> >> This test is not valid for an authoritative server because you sent an
> >> RD=1 query.  The server appears to be subject to anycast, so maybe try
> >> again with +norecurse +nsid?
> >
> > Absolute garbage.  If you don't offer recursion then all answers
> > should be generate as if the query had RD=0. Which is the case here
> > as RA is zero.  See RFC 1034.
> 
> But that's not how actual deployments work where a reverse proxy
> distributes incoming queries based on the RD flag.

The point of writing a standard is that *everyone* has a understanding
of how operations are supposed to be processed.  If the reverse
proxy is not standards compliant it should be fixed / removed.  When
you list a nameserver in a TLD you are telling the world "Here is
a device that will follow the standards".

If you want to play with something that is not standards compliant
that is fine.  Just don't list it in the public DNS.

Now if everyone would following the standards we could actually
reject answers like this as AA=0 when we expect a AA=1 response.

> I don't know if HE does that, but it's certainly better to use
> +norecurse to closely approximate what recursors are doing.

Recursers aren't the only clients.  A nameserver should work with
any RFC compliant client.

It looks like HE has fixed the problem whatever it was.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org