[dns-operations] sophosxl.net problem?

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Nov 11 22:54:31 UTC 2019

> On Nov 11, 2019, at 4:41 PM, Mark Andrews <marka at isc.org> wrote:
>> We can't have both of:
>>  * It is valid to return non-authoritative cached data for RD=0
>>  * It is invalid to return AA=0 in response to RD=0 requests.
>> Which shall it be? You say you find the first useful, but then you
>> really can't have the second, the responser isn't necessarily lame
>> if the qname is not the zone apex.
> This is a corner case for which there is no explicit signalling in the
> query.  There is decades old advice not to be configured as a recursive
> server if you are listed as authoritative for a zone (been delegated to)
> because it creates such corner cases.

Yes, exactly.  But sadly there are still some servers that are configured as
both, and so resolvers must continue to tolerate "unexpected" AA=0.

> If we want to solve this one needs to add more signalling.  Using AA=1 in the
> QUERY to signal that you don’t want to see answers from the cache would be a
> logical way to do this and would allow the client to say what it wants from the
> server.  One should, in theory, be able to send AA=1 in queries today without
> causing problems as it is supposed to be ignored.  The question then becomes
> when do you stop inferring no cache access from RD=0, AA=0 queries when you
> are willing to recurse for the client.

Sure, and the proposed signal makes sense, but this is not presently
defined, and therefore, concluding AA=0 => lame is not currently possible
except perhaps when qname == zone apex.

We'd first have to determine whether sending AA=1 in queries causes any
middle-box issues or unexpected nameserver behaviour, and then take
a decade to wait for the servers to honour the signal.

In practice it may be simpler to encourage operators to avoid mixed-mode
servers.  Perhaps BIND9's named could evolve to only support one of the
operating modes at a time, and the same with Microsoft DNS, ...  If you
want to do both pick a separate IP address for each.

If the two are never mixed the AA=1 signal in queries is not needed.


More information about the dns-operations mailing list