[dns-operations] sophosxl.net problem?

Paul Vixie paul at redbarn.org
Tue Nov 12 23:59:23 UTC 2019

Viktor Dukhovni wrote on 2019-11-12 15:26:
>> On Nov 12, 2019, at 2:32 PM, Paul Vixie <paul at redbarn.org> wrote:
>> In context, the leak I was talking about was the use of recursive data
>> in authoritative answers, coming from servers configured for both.
> Can you be more explicit about what you mean by "in authoritative
> answers"?  Do you mean answers to queries with "RD=0", or answers
> with "AA=1"?

ideally, RD=0 would access only authority data, including glue for 
delegations; RD=1 would access only recursively fetched data. this calls 
for a virtual query in some delegation-point cases (like a virtual 
particle in a feinman diagram) where authoritative data is transferred 
into the recursive view exactly as if half of the server had queried the 
other half. once copied into the recursive view, its TTL would begin to 
tick down normally. RD=0 would always align with AA=1, and RD=1 would 
always align with AA=0.

> It seems that a dual-mode BIND9 server does return recursive data
> in answer to queries with "RD=0", but such answers then also have
> "AA=0".

sounds like a bug, some of which did slip through BIND9's cracks.

P Vixie

More information about the dns-operations mailing list