[dns-operations] sophosxl.net problem?

Mark Andrews marka at isc.org
Tue Nov 12 00:26:13 UTC 2019


Named behaves as authoritative only when RD=0.

In practice there are only a small number of servers that are listed as authoritative, have recursion enabled and have sub zones of those authoritative zones that they don’t also serve and don’t fallback to being authoritative on RD=0. 

-- 
Mark Andrews

> On 12 Nov 2019, at 10:05, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> 
> 
> 
>>> On Nov 11, 2019, at 4:41 PM, Mark Andrews <marka at isc.org> wrote:
>>> 
>>> We can't have both of:
>>> 
>>> * It is valid to return non-authoritative cached data for RD=0
>>> * It is invalid to return AA=0 in response to RD=0 requests.
>>> 
>>> Which shall it be? You say you find the first useful, but then you
>>> really can't have the second, the responser isn't necessarily lame
>>> if the qname is not the zone apex.
>> 
>> This is a corner case for which there is no explicit signalling in the
>> query.  There is decades old advice not to be configured as a recursive
>> server if you are listed as authoritative for a zone (been delegated to)
>> because it creates such corner cases.
> 
> Yes, exactly.  But sadly there are still some servers that are configured as
> both, and so resolvers must continue to tolerate "unexpected" AA=0.
> 
>> If we want to solve this one needs to add more signalling.  Using AA=1 in the
>> QUERY to signal that you don’t want to see answers from the cache would be a
>> logical way to do this and would allow the client to say what it wants from the
>> server.  One should, in theory, be able to send AA=1 in queries today without
>> causing problems as it is supposed to be ignored.  The question then becomes
>> when do you stop inferring no cache access from RD=0, AA=0 queries when you
>> are willing to recurse for the client.
> 
> Sure, and the proposed signal makes sense, but this is not presently
> defined, and therefore, concluding AA=0 => lame is not currently possible
> except perhaps when qname == zone apex.
> 
> We'd first have to determine whether sending AA=1 in queries causes any
> middle-box issues or unexpected nameserver behaviour, and then take
> a decade to wait for the servers to honour the signal.
> 
> In practice it may be simpler to encourage operators to avoid mixed-mode
> servers.  Perhaps BIND9's named could evolve to only support one of the
> operating modes at a time, and the same with Microsoft DNS, ...  If you
> want to do both pick a separate IP address for each.
> 
> If the two are never mixed the AA=1 signal in queries is not needed.
> 
> -- 
>    Viktor.
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations





More information about the dns-operations mailing list