[dns-operations] TC=1 with RA=0 from a recursive resolver
fweimer at redhat.com
Wed Mar 23 12:10:20 UTC 2016
On 03/18/2016 09:25 PM, bert hubert wrote:
> On Fri, Mar 18, 2016 at 08:20:04PM +0100, Florian Weimer wrote:
>> We have received a bug report that our stub resolver does not retry over
>> TCP when asked to do so by some Google DNS resolvers:
>> The reason is that we check for RA=0 first and treat the server as
>> unusable if the bit is cleared. Only after that, we check the TC bit.
> We ran into this glibc behaviour with dnsdist too and we adjusted. We did
> not think it right to make this 'your' problem. Even if glibc adjusts, it
> does nothing for users now or over the next year. So we now set RA=RD for
> TC=1 responses, so things work
Thanks. I don't think my initial comment that we can easily swap the RA
and TC checks is correct: Our TCP path cannot cope well with unusable
servers because not all checks we have on the UDP path are duplicated
there, so we might get stuck on an unusable server.
I'll make a note to fix this, but it's not as straightforward as I
thought. I agree that we should better support reverse DNS proxies
which do not set RA according to the old rules.
More information about the dns-operations