[dns-operations] sophosxl.net problem?
Tony Finch
dot at dotat.at
Mon Nov 11 13:49:15 UTC 2019
Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>
> Reading that issue it seems that the servers in question return
> cached non-authoritative data even when the request has RD=0,
> provided some recent RD=1 query brings the data into the cache.
This is normal for recursive servers. Whether this traditional behaviour
is sensible or not is another question. If a recursuve server has mutually
distrusting clients then it's a privacy leak known as DNS cache snooping.
> In which case the issue is not *failing* to set AA=1, but rather
> a server that is authoritative for some domains and recursive for
> others allowing non-authoritative cached data to leak into RD=0
> replies.
>
> How common are such servers? Is their behaviour incorrect?
Dunno about how common they are. There are two misconfigurations: servers
identified in public NS records should be authoritative for the zone (but
these ones are not) and they should not offer recursion (but these ones
do).
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Humber, Thames: South veering west or southwest, 6 to gale 8. Moderate or
rough. Showers. Good.
More information about the dns-operations
mailing list