[dns-operations] sophosxl.net problem?

Paul Vixie paul at redbarn.org
Mon Nov 11 16:01:03 UTC 2019

Viktor Dukhovni wrote on 2019-11-10 20:32:
>> ...
>> <https://github.com/PowerDNS/pdns/issues/8150>
> Reading that issue it seems that the servers in question return
> cached non-authoritative data even when the request has RD=0,
> provided some recent RD=1 query brings the data into the cache.
> In which case the issue is not *failing* to set AA=1, but rather
> a server that is authoritative for some domains and recursive for
> others allowing non-authoritative cached data to leak into RD=0
> replies.
> How common are such servers?  Is their behaviour incorrect?

we called this bug "bind8" and before that "bind4", which when operating 
in authoritative + recursive mode, because it kept all data no matter 
where it came from in a single tree. a decade was spent trying to tag 
things to prevent leaks of recursive data into authoritative answers.

the fix was called "bind9" which does not leak in this way.

there's also a general trend to authoritative-only and recursive-only, 
rather than doing both in one name server, even though modern name 
servers (not just bind9) no longer leak.

P Vixie

More information about the dns-operations mailing list