[dns-operations] Nameserver responses from different IP than destination of request

[Florian Weimer]

* Warren Kumari:

> On Mon, Aug 31, 2020 at 2:11 PM Florian Weimer <fw at deneb.enyo.de> wrote:
>>
>> * Puneet Sood via dns-operations:
>>
>> > We would be interested in hearing other operator's experience here.
>> > Are recursive servers seeing similar behavior from authoritative
>> > servers? If yes, are you discarding these responses?
>> > Are there authoritative server operators who still need the
>> > flexibility afforded by RFC 1035?
>>
>> If I recall correctly, while helping to run an academic network I
>> encountered this issue on the authoritative server side.  That was
>> close to twenty years ago, and even back then, it did not occur to us
>> to push the resolvers to accept these incorrectly sourced responses,
>> instead of getting the authoritative server operator to fix their
>> setup.
>
> The bit that I'm failing to understand is why these continue to exist
> -- if everyone (or, everyone other than Google) are ignoring /
> dropping these, how / why are they still on the Internet? Is it just
> the $whatever are sending these are always deployed next to something
> that ain't broke and the operator just hasn't noticed?
> Or are perhaps more things accepting these than we expect?

If such problems exist, they might not occur consistently for all
source addresses.  A subset of client addresses can route the response
in such a way that the expected source address is produced on the
public Internet.  Or the affected zones have other name servers that
hide the problem until you start looking for it.