[dns-operations] Google DNS Oddity

Mukund Sivaraman muks at mukund.org
Sun Sep 8 16:42:58 UTC 2019

On Sun, Sep 08, 2019 at 06:16:18PM +0200, Vladimír Čunát wrote:
> On 9/8/19 6:05 PM, Warren Kumari wrote:
> > A quick clarification -- this has nothing to do with Google Public DNS
> > (, this was being sent by the authoritative servers (part of
> > an experiment, which went awry, and has been rolled back).
> I'm not confident about what RFCs say, off the top of my head, but Knot
> Resolver does not let unrelated answer records through to its clients. 
> Here it's in-bailiwick, so at least the usual spoofing danger does not
> apply.  (In particular, I've seen quite a number of servers claiming to
> be authoritative for google.com.)

To the original poster, RFC 2181 5.4.1 covers trust when following CNAME
chains, but from the original poster's dig output, there doesn't appear
to be a CNAME involved at all. The nameserver is returning address
records in the answer section unrelated to the question due to name
mismatch. This is covered (without strict RFC 2119 style language) even
in RFC 1034:

* The top-level resolver algorithm in 5.3.3.. specifically 4(a) and
  4(d), and,

> Step 4 involves analyzing responses.  The resolver should be highly
> paranoid in its parsing of responses.


More information about the dns-operations mailing list