[dns-operations] [Ext] Verisign TLDs, some other servers may trim critical glue from very large referrals
vladimir.cunat+ietf at nic.cz
Fri Jan 4 16:52:08 UTC 2019
On 1/4/19 3:43 PM, Edward Lewis wrote:
> This is an interesting protocol-implementation question. What's being
> returned by the server in this case is reasonable (according to the
> protocol) but evidently less than useful.
TL; DR: I think we should change the protocol _if_ it currently allows
that, even though it seems currently a rather rare edge case.
Still, at a quick check I'm not yet convinced whether the protocol
allows that, due to RFC formulations being a bit vague:
> The TC bit should be set in responses only when an RRSet is required
> as a part of the response, but could not be included in its entirety.
> Put whatever addresses are available into the additional section,
> using glue RRs if the addresses are not available from authoritative
> data or the cache.
I'd really hate recommending additional resolver workarounds in style:
"the upstream server's (non-)replies are suspicious, let's try turning
off things like EDNS, case randomization, tweak buffer length,... and
see if it gets better". /cc https://dnsflagday.net/
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations