[dns-operations] sophosxl.net problem?

[Mark Andrews]

> On 18 Nov 2019, at 11:21, Doug Barton <dougb at dougbarton.email> wrote:
> 
> On 11/11/19 11:57 AM, Viktor Dukhovni wrote:
>>> On Nov 11, 2019, at 2:36 PM, Dave Lawrence <tale at dd.org> wrote:
>>> 
>>> In the last, AA=0 is a clear standards-noncompliant signalling failure
>>> for which it is entirely appropriate to treat the responder as lame.
>>> (OTOH, if the data can be DNSSEC-validated, hey then whatever, AA was
>>> just redundant -- the data was authoritative even if the responder wasn't.)
>> But if the responder is authoritative only for a parent of the requested
>> domain, and is willing to do recursion for the child zone, and has the
>> answer cached, then if it also serves data from the cache with RD=0, it
>> will return AA=0 for the cached data, while the requestor believes the
>> server to be authoritative (for at least the top of the subtree).
> 
> 
> I also think it's useful to define the circumstances for these various queries. For instance, when setting up a resolving name server for consulting clients I used to routinely have the resolvers slave all of the zones that the customer was authoritative for. That saved cycles on both systems, improved lookup times, etc. In that scenario the resolver could return AA=1 for some zones, but =0 for ones it actually had to recurse for. And then to make that even more exciting, it was not at all uncommon for companies to want a limited set of recursors that had access to the big, scary Internet; and a lot of local ones that forwarded through them for things that they weren't authoritative for. So every answer from the "border" resolvers would be AA=0, and every query from the internal ones would be RD=1.
> 
> And there are two questions I haven't seen answered here yet ... do resolvers always set RD=0 (and if so, why, because that makes no sense);

It does if you are trying to get the latest content for the zone and minimise the number of queries you make.  If you hit a misconfigured authoritative server you are getting old data.  Additionally some servers don’t follow STD 13 and return SERVFAIL for all queries for the zone if they fail to cleanly load it all.  Looking for AA=1/AA=0 allows you to reject answers from partial loads.

> and if they are supposed to set it when they query "the authoritative server," how do they know at what point in the chain they are at, and if the server they are querying is actually authoritative for the zone that the host they are looking for is in? Or to ask the opposite question, how do they tell if the AA flag is set properly?

Well a resolver should know if it is performing a iterative query (following NS records) or performing a recursive query (to specified servers).  The real problem is idiots that think that think they can redirect queries to a recursive DNS server to provide "a transparent DNS cache” and everything will just work.  It doesn’t.

> In principle I agree with Paul that we should break things when needed, and break them earlier rather than later (I've been saying that for 20 years, btw, glad to hear that folks are catching up).  :)  But it's not at all clear to me that this is something that has neat/clean boundaries around which we can justify breaking things.
> 
> Doug
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org