[dns-operations] sophosxl.net problem?

Mark Andrews marka at isc.org
Wed Nov 13 00:26:58 UTC 2019 

Named behaves as a authoritative server for RD=0 queries in
mixed mode if it is serving a enclosing zone.  Below is a recursive
query followed by a non-recursive query for the same name to the
same instance of named configured to serve the root zone.

[beetle:~/git/bind9] marka% dig -p 5333 isc.org

; <<>> DiG 9.15.4+hotspot+add-prefetch+marka <<>> -p 5333 isc.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26993
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: d1efb6b27cf32bc2010000005dcb4b983bb2e3dd23cf608b (good)
;; QUESTION SECTION:
;isc.org.			IN	A

;; ANSWER SECTION:
isc.org.		60	IN	A	149.20.1.66

;; Query time: 277 msec
;; SERVER: 127.0.0.1#5333(127.0.0.1)
;; WHEN: Wed Nov 13 11:17:28 AEDT 2019
;; MSG SIZE  rcvd: 80

[beetle:~/git/bind9] marka% dig -p 5333 isc.org +norec

; <<>> DiG 9.15.4+hotspot+add-prefetch+marka <<>> -p 5333 isc.org +norec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44832
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 13

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: df9a3450addc5ae3010000005dcb4b9f7b6c9cf4990c2df0 (good)
;; QUESTION SECTION:
;isc.org.			IN	A

;; AUTHORITY SECTION:
org.			172800	IN	NS	a0.org.afilias-nst.info.
org.			172800	IN	NS	d0.org.afilias-nst.org.
org.			172800	IN	NS	b0.org.afilias-nst.org.
org.			172800	IN	NS	b2.org.afilias-nst.org.
org.			172800	IN	NS	c0.org.afilias-nst.info.
org.			172800	IN	NS	a2.org.afilias-nst.info.

;; ADDITIONAL SECTION:
d0.org.afilias-nst.org.	172800	IN	A	199.19.57.1
c0.org.afilias-nst.info. 172800	IN	A	199.19.53.1
b2.org.afilias-nst.org.	172800	IN	A	199.249.120.1
b0.org.afilias-nst.org.	172800	IN	A	199.19.54.1
a2.org.afilias-nst.info. 172800	IN	A	199.249.112.1
a0.org.afilias-nst.info. 172800	IN	A	199.19.56.1
d0.org.afilias-nst.org.	172800	IN	AAAA	2001:500:f::1
c0.org.afilias-nst.info. 172800	IN	AAAA	2001:500:b::1
b2.org.afilias-nst.org.	172800	IN	AAAA	2001:500:48::1
b0.org.afilias-nst.org.	172800	IN	AAAA	2001:500:c::1
a2.org.afilias-nst.info. 172800	IN	AAAA	2001:500:40::1
a0.org.afilias-nst.info. 172800	IN	AAAA	2001:500:e::1

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5333(127.0.0.1)
;; WHEN: Wed Nov 13 11:17:35 AEDT 2019
;; MSG SIZE  rcvd: 469

[beetle:~/git/bind9] marka% cat xxx.conf
options {
	listen-on port 5333 { 127.0.0.1; };
	listen-on-v6 { none; };
};

zone "." {
	type master;
	file "root.db";
};
[beetle:~/git/bind9] marka% 


> On 13 Nov 2019, at 10:26, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> 
>> On Nov 12, 2019, at 2:32 PM, Paul Vixie <paul at redbarn.org> wrote:
>> 
>> In context, the leak I was talking about was the use of recursive data
>> in authoritative answers, coming from servers configured for both.
> 
> Can you be more explicit about what you mean by "in authoritative
> answers"?  Do you mean answers to queries with "RD=0", or answers
> with "AA=1"?
> 
> It seems that a dual-mode BIND9 server does return recursive data
> in answer to queries with "RD=0", but such answers then also have
> "AA=0".
> 
> -- 
> 	Viktor.
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the dns-operations mailing list