[dns-operations] why does that domain resolve?
Benno Overeinder
benno at NLnetLabs.nl
Mon Jun 7 12:29:43 UTC 2021
On 04/06/2021 18:22, Anthony Lieuallen via dns-operations wrote:
> On Fri, Jun 4, 2021 at 11:58 AM A. Schulze <sca at andreasschulze.de
> <mailto:sca at andreasschulze.de>> wrote:
>
> So I wonder, why do so many resolver [1] obviously do only follow a
> delegation and ignore authoritative data?
>
>
> This is a question of being parent- vs. child- centric. The parents in
> the DNS tree delegate correctly. The fact that the children delegate
> incorrectly can be a small or non-issue depending on resolver. Google
> Public DNS uses only parent delegations (
> https://developers.devsite.corp.google.com/speed/public-dns/docs/troubleshooting/domains#delegation
> <https://developers.devsite.corp.google.com/speed/public-dns/docs/troubleshooting/domains#delegation>
> ). Largely for issues like this: the child delegations can be wrong,
> but for the domain to work at all, the parent delegations must be
> correct. (Resolvers that choose to use child delegations will likely in
> this case discover that these delegations are bogus, and be left with
> only the valid delegations, from the parent.)
Unbound prefers the child side name servers, but if they do not answer,
tries to use the parent-side name servers.
A little more detail, Unbound would on first resolve use the parent side
servers. On the second resolve, Unbound has the child-side name server
data, and lookups ns1.example.com and gets an answer from the IANA
example servers. Then tries to send packets to them, getting failure
answers. Then tries the parent-side names servers as fall back.
-- Benno
--
Benno J. Overeinder
NLnet Labs
https://www.nlnetlabs.nl/
More information about the dns-operations
mailing list