[dns-operations] sophosxl.net problem?

Doug Barton dougb at dougbarton.email
Mon Nov 18 00:21:16 UTC 2019


On 11/11/19 11:57 AM, Viktor Dukhovni wrote:
>> On Nov 11, 2019, at 2:36 PM, Dave Lawrence <tale at dd.org> wrote:
>>
>> In the last, AA=0 is a clear standards-noncompliant signalling failure
>> for which it is entirely appropriate to treat the responder as lame.
>> (OTOH, if the data can be DNSSEC-validated, hey then whatever, AA was
>> just redundant -- the data was authoritative even if the responder wasn't.)
> 
> But if the responder is authoritative only for a parent of the requested
> domain, and is willing to do recursion for the child zone, and has the
> answer cached, then if it also serves data from the cache with RD=0, it
> will return AA=0 for the cached data, while the requestor believes the
> server to be authoritative (for at least the top of the subtree).


I also think it's useful to define the circumstances for these various 
queries. For instance, when setting up a resolving name server for 
consulting clients I used to routinely have the resolvers slave all of 
the zones that the customer was authoritative for. That saved cycles on 
both systems, improved lookup times, etc. In that scenario the resolver 
could return AA=1 for some zones, but =0 for ones it actually had to 
recurse for. And then to make that even more exciting, it was not at all 
uncommon for companies to want a limited set of recursors that had 
access to the big, scary Internet; and a lot of local ones that 
forwarded through them for things that they weren't authoritative for. 
So every answer from the "border" resolvers would be AA=0, and every 
query from the internal ones would be RD=1.

And there are two questions I haven't seen answered here yet ... do 
resolvers always set RD=0 (and if so, why, because that makes no sense); 
and if they are supposed to set it when they query "the authoritative 
server," how do they know at what point in the chain they are at, and if 
the server they are querying is actually authoritative for the zone that 
the host they are looking for is in? Or to ask the opposite question, 
how do they tell if the AA flag is set properly?

In principle I agree with Paul that we should break things when needed, 
and break them earlier rather than later (I've been saying that for 20 
years, btw, glad to hear that folks are catching up).  :)  But it's not 
at all clear to me that this is something that has neat/clean boundaries 
around which we can justify breaking things.

Doug



More information about the dns-operations mailing list