[dns-operations] sophosxl.net problem?
dougb at dougbarton.email
Mon Nov 18 00:21:16 UTC 2019
On 11/11/19 11:57 AM, Viktor Dukhovni wrote:
>> On Nov 11, 2019, at 2:36 PM, Dave Lawrence <tale at dd.org> wrote:
>> In the last, AA=0 is a clear standards-noncompliant signalling failure
>> for which it is entirely appropriate to treat the responder as lame.
>> (OTOH, if the data can be DNSSEC-validated, hey then whatever, AA was
>> just redundant -- the data was authoritative even if the responder wasn't.)
> But if the responder is authoritative only for a parent of the requested
> domain, and is willing to do recursion for the child zone, and has the
> answer cached, then if it also serves data from the cache with RD=0, it
> will return AA=0 for the cached data, while the requestor believes the
> server to be authoritative (for at least the top of the subtree).
I also think it's useful to define the circumstances for these various
queries. For instance, when setting up a resolving name server for
consulting clients I used to routinely have the resolvers slave all of
the zones that the customer was authoritative for. That saved cycles on
both systems, improved lookup times, etc. In that scenario the resolver
could return AA=1 for some zones, but =0 for ones it actually had to
recurse for. And then to make that even more exciting, it was not at all
uncommon for companies to want a limited set of recursors that had
access to the big, scary Internet; and a lot of local ones that
forwarded through them for things that they weren't authoritative for.
So every answer from the "border" resolvers would be AA=0, and every
query from the internal ones would be RD=1.
And there are two questions I haven't seen answered here yet ... do
resolvers always set RD=0 (and if so, why, because that makes no sense);
and if they are supposed to set it when they query "the authoritative
server," how do they know at what point in the chain they are at, and if
the server they are querying is actually authoritative for the zone that
the host they are looking for is in? Or to ask the opposite question,
how do they tell if the AA flag is set properly?
In principle I agree with Paul that we should break things when needed,
and break them earlier rather than later (I've been saying that for 20
years, btw, glad to hear that folks are catching up). :) But it's not
at all clear to me that this is something that has neat/clean boundaries
around which we can justify breaking things.
More information about the dns-operations