[dns-operations] [Ext] Verisign TLDs, some other servers may trim critical glue from very large referrals

Vladimír Čunát vladimir.cunat+ietf at nic.cz
Fri Jan 4 16:52:08 UTC 2019


On 1/4/19 3:43 PM, Edward Lewis wrote:
> This is an interesting protocol-implementation question. What's being
> returned by the server in this case is reasonable (according to the
> protocol) but evidently less than useful.
TL; DR: I think we should change the protocol _if_ it currently allows
that, even though it seems currently a rather rare edge case.

Still, at a quick check I'm not yet convinced whether the protocol
allows that, due to RFC formulations being a bit vague:

> The TC bit should be set in responses only when an RRSet is required
> as a part of the response, but could not be included in its entirety.
> Put whatever addresses are available into the additional section,
> using glue RRs if the addresses are not available from authoritative
> data or the cache.

I'd really hate recommending additional resolver workarounds in style:
"the upstream server's (non-)replies are suspicious, let's try turning
off things like EDNS, case randomization, tweak buffer length,... and
see if it gets better".  /cc https://dnsflagday.net/

[1] https://tools.ietf.org/html/rfc2181#section-9
[2] https://tools.ietf.org/html/rfc6672#section-3.2


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190104/217376ca/attachment.html>

More information about the dns-operations mailing list