[dns-operations] sophosxl.net problem?

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Nov 11 19:57:21 UTC 2019


> On Nov 11, 2019, at 2:36 PM, Dave Lawrence <tale at dd.org> wrote:
> 
> In the last, AA=0 is a clear standards-noncompliant signalling failure
> for which it is entirely appropriate to treat the responder as lame.
> (OTOH, if the data can be DNSSEC-validated, hey then whatever, AA was
> just redundant -- the data was authoritative even if the responder wasn't.)

But if the responder is authoritative only for a parent of the requested
domain, and is willing to do recursion for the child zone, and has the
answer cached, then if it also serves data from the cache with RD=0, it
will return AA=0 for the cached data, while the requestor believes the
server to be authoritative (for at least the top of the subtree).

And that's the situation in the PowerDNS issue, and it is not clear to
me that response violates any standards.

We can't have both of:

   * It is valid to return non-authoritative cached data for RD=0
   * It is invalid to return AA=0 in response to RD=0 requests.

Which shall it be? You say you find the first useful, but then you
really can't have the second, the responser isn't necessarily lame
if the qname is not the zone apex.

-- 
	Viktor.




More information about the dns-operations mailing list