[dns-operations] Any known AD=1 intolerant iterative resolvers?
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue Apr 14 22:19:24 UTC 2020
Does anyone know of any iterative resolvers one is likely to run into on
some ISP's network, hotel, or WiFi hotspot that will choke on queries
with AD=1, per:
https://tools.ietf.org/html/rfc6840#section-5.7
FWIW, "dig" sets AD=1 by default, and I've never seen a need to use
"+noad" to get the upstream resolver to respond correctly. But perhaps
I've just not tested in the "wrong" places.
Is there a way to leverage RIPE ATLAS to look for AD=1 (in queries)
intolerance?
The reason I ask, is that the MUSL libc stub resolver has no support for
EDNS and so no DO=1, but Postfix DANE support still needs to see the AD
bit from the local resolver, which is not sent when there's no AD=1 in
the query.
My instinct is that it is now safe to just always send AD=1 in queries,
which would partly resolve the issue, but if that is liable to break
lookups via some extant resolvers, then AD=1 would need to be
configurable via options in /etc/resolv.conf or similar.
--
Viktor.
More information about the dns-operations
mailing list