[dns-operations] sophosxl.net problem?

Mark Andrews marka at isc.org
Mon Oct 28 02:24:27 UTC 2019



> On 25 Oct 2019, at 5:38 pm, Ambauen Daniel (ID NET) <daniel.ambauen at id.ethz.ch> wrote:
> 
> Hello 
> 
> The Sophos Web Protection Service is answering all DNS queries without an AA flag.
> Is an "authoritative" DNS response without a set AA flag a major DNS protocol violation? 

Yes.  Resolvers use (or should use) AA=0 to skip broken authoritative servers.  If all the servers return AA=0
you run the risk of having all records rejected.  There is no reason for authoritative server to return AA=0.

BIND tried to fix named to reject AA=0 from authoritative servers a few years back but pandora.tv was returning
AA=0 from all servers at the time and we had to back the change out.  We still want to make that change.

Mark

> Oct 24 17:40:44 [1]   Nameserver ns.sxl31.sophosxl.net IPs: 34.252.84.252(0.00ms), 52.19.19.59(0.00ms)
> Oct 24 17:40:44 [1] jjj.tnynkhf.pu.m.06.s.sophosxl.net: Resolved 'm.06.s.sophosxl.net' NS ns.sxl31.sophosxl.net to: 34.252.84.252, 52.19.19.59
> Oct 24 17:40:44 [1] jjj.tnynkhf.pu.m.06.s.sophosxl.net: Trying IP 34.252.84.252:53, asking 'jjj.tnynkhf.pu.m.06.s.sophosxl.net|TXT'
> Oct 24 17:40:44 [1] jjj.tnynkhf.pu.m.06.s.sophosxl.net: Got 1 answers from ns.sxl31.sophosxl.net (34.252.84.252), rcode=0 (No Error), aa=0, in 37ms
> Oct 24 17:40:44 [1] Removing record 'jjj.tnynkhf.pu.m.06.s.sophosxl.net|TXT|"w l h 2c 1200311811\009#f77a3b635711f65f"' in the answer section without the AA bit set received from m.06.s.sophosxl.net
> Oct 24 17:40:44 [1] jjj.tnynkhf.pu.m.06.s.sophosxl.net: determining status after receiving this packet
> Oct 24 17:40:44 [1] jjj.tnynkhf.pu.m.06.s.sophosxl.net: Trying IP 52.19.19.59:53, asking 'jjj.tnynkhf.pu.m.06.s.sophosxl.net|TXT'
> Oct 24 17:40:44 [1] jjj.tnynkhf.pu.m.06.s.sophosxl.net: Got 1 answers from ns.sxl31.sophosxl.net (52.19.19.59), rcode=0 (No Error), aa=0, in 37ms
> Oct 24 17:40:44 [1] Removing record 'jjj.tnynkhf.pu.m.06.s.sophosxl.net|TXT|"w l h 2c 1200311811\009#f77a3b635711f65f"' in the answer section without the AA bit set received from m.06.s.sophosxl.net
> Oct 24 17:40:44 [1] jjj.tnynkhf.pu.m.06.s.sophosxl.net: determining status after receiving this packet
> Oct 24 17:40:44 [1] jjj.tnynkhf.pu.m.06.s.sophosxl.net: Failed to resolve via any of the 1 offered NS at level 'm.06.s.sophosxl.net'
> Oct 24 17:40:44 [1] jjj.tnynkhf.pu.m.06.s.sophosxl.net: failed (res=-1)
> Oct 24 17:40:44 3 [1/1] answer to question 'jjj.tnynkhf.pu.m.06.s.sophosxl.net|TXT': 0 answers, 1 additional, took 10 packets, 263.966 netw ms, 305.922 tot ms, 0 throttled, 0 timeouts, 0 tcp connections, rcode=2
> 
> Kind regards
> Daniel_______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org




More information about the dns-operations mailing list