[dns-operations] why does that domain resolve?

Paul Vixie paul at redbarn.org
Wed Jun 9 21:35:03 UTC 2021

Benno Overeinder wrote on 2021-06-07 05:29:
> On 04/06/2021 18:22, Anthony Lieuallen via dns-operations wrote:
>> ...  Largely for issues like this: the child delegations can be wrong,
>> but for the domain to work at all, the parent delegations must be
>> correct.  (Resolvers that choose to use child delegations will likely
>> in this case discover that these delegations are bogus, and be left
>> with only the valid delegations, from the parent.)
> Unbound prefers the child side name servers, but if they do not answer,
> tries to use the parent-side name servers.

that strikes me as something we should recommend for all implementors,
more or less in the style of the "resimprove" draft. it's not a protocol
change but it does improve system resiliency.

> A little more detail, Unbound would on first resolve use the parent side
> servers.  On the second resolve, Unbound has the child-side name server
> data, ...  Then tries to send packets to them, getting failure
> answers.  Then tries the parent-side names servers as fall back.

this likewise strikes me as recommendable behaviour, but the point made
up-thread about minimal responses deserves to be re-raised now: if you
do not receive an authority section with an NS RRset "on first resolve",
then how do you learn the apex name server names to be used "on second


Sent from Postbox

More information about the dns-operations mailing list