<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Fri, Nov 15, 2013 at 7:24 PM, Mark Andrews <span dir="ltr"><<a href="mailto:marka@isc.org" target="_blank">marka@isc.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="HOEnZb"><div class="h5"><br>
</div></div>Because too many authoritative servers are broken.<br>
<div class="HOEnZb"><div class="h5"><br></div></div></blockquote></div><br></div><div class="gmail_extra">Yes, that's true. It's been true for a long time. Yet it seems to me like there should be limits to what you accept. Even so, it takes a particular degree or effort or neglect to significantly break DNS. We've been strictly validating (and strict on what we accept from external sources even in situations that aren't strictly related to validation as in this case) for more than two years now. And this is the first time we've encountered this particular sort of breakage.<br>
<br></div><div class="gmail_extra">Admittedly, I have the luxury of working in an organization where we strictly control the perimeter and we actually can tell any of our 100k or so employees that the other organization has broken their DNS and for security reasons we won't be able to resolve their zone until they fix it. I do understand the very different pressures an ISP faces, especially when we're still on this side of the curve toward actually securing DNS.<br>
<br></div><div class="gmail_extra">Even so, it's not easy to achieve the particular sort of breakage I described. And it's apparently a pretty uncommon way to break your authoritative DNS. At least, it's the only such instance we've encountered to date. Why would a caching nameserver accept and utilize a non-authoritative response from an authoritative nameserver? That's the part I don't understand. The brokenness will never get fixed if everyone treats it as acceptable.<br>
<br></div><div class="gmail_extra">Scott<br><br></div></div>