[dns-operations] sophosxl.net problem?

Tony Finch dot at dotat.at
Mon Nov 11 13:49:15 UTC 2019

Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> Reading that issue it seems that the servers in question return
> cached non-authoritative data even when the request has RD=0,
> provided some recent RD=1 query brings the data into the cache.

This is normal for recursive servers. Whether this traditional behaviour
is sensible or not is another question. If a recursuve server has mutually
distrusting clients then it's a privacy leak known as DNS cache snooping.

> In which case the issue is not *failing* to set AA=1, but rather
> a server that is authoritative for some domains and recursive for
> others allowing non-authoritative cached data to leak into RD=0
> replies.
> How common are such servers?  Is their behaviour incorrect?

Dunno about how common they are. There are two misconfigurations: servers
identified in public NS records should be authoritative for the zone (but
these ones are not) and they should not offer recursion (but these ones

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Humber, Thames: South veering west or southwest, 6 to gale 8. Moderate or
rough. Showers. Good.

More information about the dns-operations mailing list