[dns-operations] sophosxl.net problem?
paul at redbarn.org
Mon Nov 11 16:01:03 UTC 2019
Viktor Dukhovni wrote on 2019-11-10 20:32:
> Reading that issue it seems that the servers in question return
> cached non-authoritative data even when the request has RD=0,
> provided some recent RD=1 query brings the data into the cache.
> In which case the issue is not *failing* to set AA=1, but rather
> a server that is authoritative for some domains and recursive for
> others allowing non-authoritative cached data to leak into RD=0
> How common are such servers? Is their behaviour incorrect?
we called this bug "bind8" and before that "bind4", which when operating
in authoritative + recursive mode, because it kept all data no matter
where it came from in a single tree. a decade was spent trying to tag
things to prevent leaks of recursive data into authoritative answers.
the fix was called "bind9" which does not leak in this way.
there's also a general trend to authoritative-only and recursive-only,
rather than doing both in one name server, even though modern name
servers (not just bind9) no longer leak.
More information about the dns-operations