[dns-operations] sophosxl.net problem?

Dave Lawrence tale at dd.org
Mon Nov 11 19:36:09 UTC 2019

Paul Vixie writes:
> so, answering REFUSED when authoritative-only and receiving RD=1, and 
> answering REFUSED when recursive-only and receiving RD=0, and treating 
> AA=0 as "lame" when doing recursion, all lead to a choppy present but a 
> smoother future.

The third one seems distinctly different to me than the first two.
How do changing those behaviours to a better future?

In the first, RD=1 is merely useless so there's really no reason to be
a busy-body about it.  In the second, RD=0 is a reasonable way to
query the state of the cache without changing it, and one I have
personally found use for in my own debugging.  Both of them are
standards-reasonable ways to 

In the last, AA=0 is a clear standards-noncompliant signalling failure
for which it is entirely appropriate to treat the responder as lame.
(OTOH, if the data can be DNSSEC-validated, hey then whatever, AA was
just redundant -- the data was authoritative even if the responder wasn't.)

More information about the dns-operations mailing list