[dns-operations] sophosxl.net problem?
Paul Vixie
paul at redbarn.org
Tue Nov 12 23:59:23 UTC 2019
Viktor Dukhovni wrote on 2019-11-12 15:26:
>> On Nov 12, 2019, at 2:32 PM, Paul Vixie <paul at redbarn.org> wrote:
>>
>> In context, the leak I was talking about was the use of recursive data
>> in authoritative answers, coming from servers configured for both.
>
> Can you be more explicit about what you mean by "in authoritative
> answers"? Do you mean answers to queries with "RD=0", or answers
> with "AA=1"?
ideally, RD=0 would access only authority data, including glue for
delegations; RD=1 would access only recursively fetched data. this calls
for a virtual query in some delegation-point cases (like a virtual
particle in a feinman diagram) where authoritative data is transferred
into the recursive view exactly as if half of the server had queried the
other half. once copied into the recursive view, its TTL would begin to
tick down normally. RD=0 would always align with AA=1, and RD=1 would
always align with AA=0.
> It seems that a dual-mode BIND9 server does return recursive data
> in answer to queries with "RD=0", but such answers then also have
> "AA=0".
sounds like a bug, some of which did slip through BIND9's cracks.
--
P Vixie
More information about the dns-operations
mailing list