Re: [dnsext] Empty AA=0 AD=1 answers to AAAA queries: your thoughts pls
Mark Andrews <marka@isc.org> Sat, 20 December 2014 14:25 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45F801A889A for <dnsext@ietfa.amsl.com>; Sat, 20 Dec 2014 06:25:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.389
X-Spam-Level: *
X-Spam-Status: No, score=1.389 tagged_above=-999 required=5 tests=[BAYES_50=0.8, J_CHICKENPOX_62=0.6, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tA9_4GZQ4i2o for <dnsext@ietfa.amsl.com>; Sat, 20 Dec 2014 06:25:17 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B27E31A8876 for <dnsext@ietf.org>; Sat, 20 Dec 2014 06:25:16 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.ams1.isc.org (Postfix) with ESMTP id E34171FCB85; Sat, 20 Dec 2014 14:25:10 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id D323F160067; Sat, 20 Dec 2014 14:30:20 +0000 (UTC)
Received: from rock.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id 9C83E160064; Sat, 20 Dec 2014 14:30:20 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id C7EA12630502; Sun, 21 Dec 2014 01:25:06 +1100 (EST)
To: bert hubert <bert.hubert@netherlabs.nl>
From: Mark Andrews <marka@isc.org>
References: <20141220125805.GB20765@xs.powerdns.com>
In-reply-to: Your message of "Sat, 20 Dec 2014 13:58:06 +0100." <20141220125805.GB20765@xs.powerdns.com>
Date: Sun, 21 Dec 2014 01:25:06 +1100
Message-Id: <20141220142506.C7EA12630502@rock.dv.isc.org>
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsext/dY6SHxCgHA8m7VjItlOUOyzjVSU
Cc: DNSEXT Group Working <dnsext@ietf.org>
Subject: Re: [dnsext] Empty AA=0 AD=1 answers to AAAA queries: your thoughts pls
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Dec 2014 14:25:19 -0000
In message <20141220125805.GB20765@xs.powerdns.com>, bert hubert writes: > Hi everybody, > > I have a question if I am right in concluding something is a protocol > violation, and if we should reward it by papering it over or (finally) > concluding that enough is enough. I've been thinking for a long time that enough is enough. Named tried to reject all non referral "aa=0" from supposedly authoritative servers a while back and we had to reverse the change. While pandora.tv has fixed the aa=0 issue they still return malformed answers. What we really need is for TLD operators to audit all the delegated servers and inform their owners when they see a broken one. They are the ones with the lists of authoritative servers and the contact information. See draft-andrews-dns-no-response-issue. > A few weeks ago we posted this > http://mailman.powerdns.com/pipermail/pdns-users/2014-December/011004.html > about Microsoft Azure nameservers sending empty answers (AD=1 no less) to > AAAA queries. Microsoft has indicated they'll get to addressing this early > 2015, by the way (thanks Mehmet). > > However, we're now seeing more and more of this, for example from the most > popular news site in the Netherlands nu.nl: > > $ dig +trace -t aaaa nu-nl.gslb.sanomaservices.nl. > > Which ends on: > > $ dig -t aaaa nu-nl.gslb.sanomaservices.nl. @62.69.175.251 > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58444 > ;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 1280 > ;; QUESTION SECTION: > ;nu-nl.gslb.sanomaservices.nl. IN AAAA > > Note that this is the same pattern as Microsoft Azure. But this empty AA=0 > answer leads PowerDNS to: > > nu-nl.gslb.sanomaservices.nl.: Trying IP 62.69.175.251:53 1, asking 'nu-nl.g > slb.sanomaservices.nl.|AAAA' > nu-nl.gslb.sanomaservices.nl.: Got 0 answers from gslb2.sanomaservices.nl. ( > 62.69.175.251), rcode=0 (No Error), aa=0, in 6ms > nu-nl.gslb.sanomaservices.nl.: determining status after receiving this packe > t > nu-nl.gslb.sanomaservices.nl.: status=NS gslb2.sanomaservices.nl. (62.69.175 > .251) is lame for 'gslb.sanomaservices.nl.', trying sibling IP or NS > nu-nl.gslb.sanomaservices.nl.: Failed to resolve via any of the 2 offered NS > at level 'gslb.sanomaservices.nl.' > nu-nl.gslb.sanomaservices.nl.: failed (res=-1) > > And this means we send out a SERVFAIL to our client, since all servers are > 'lame'. This makes some programs very unhappy. > > We are (as is any resolver implementor) receiving pressure not to do this, > and to paper over this behaviour. There is a workaround available in the URL > above. > > We think the time has to come to say 'no, if you run a non-confirming > implementation, you deserve all the pain you get'. > > But before we make a stand, what do you think? Should we accept empty AA=0 > AD=1 answers as "NO ERROR"? Personally I would like to take a stand. Whether we can convince others is another matter. > Please let us know. > > Bert > > _______________________________________________ > dnsext mailing list > dnsext@ietf.org > https://www.ietf.org/mailman/listinfo/dnsext -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [dnsext] Empty AA=0 AD=1 answers to AAAA queries:… bert hubert
- Re: [dnsext] Empty AA=0 AD=1 answers to AAAA quer… Mark Andrews
- Re: [dnsext] Empty AA=0 AD=1 answers to AAAA quer… bert hubert
- [dnsext] getting TLDs to fix other people's probl… Jim Reid
- Re: [dnsext] getting TLDs to fix other people's p… Mark Andrews
- Re: [dnsext] getting TLDs to fix other people's p… Lawrence Conroy
- Re: [dnsext] getting TLDs to fix other people's p… Patrik Fältström
- [dnsext] enough is enough bert hubert
- Re: [dnsext] getting TLDs to fix other people's p… Jim Reid
- Re: [dnsext] enough is enough Jim Reid
- Re: [dnsext] enough is enough Patrik Fältström
- Re: [dnsext] Empty AA=0 AD=1 answers to AAAA quer… Alex Bligh
- Re: [dnsext] enough is enough bert hubert
- Re: [dnsext] getting TLDs to fix other people's p… Jay Daley
- Re: [dnsext] enough is enough Mark Andrews
- Re: [dnsext] enough is enough Patrik Fältström
- Re: [dnsext] enough is enough Patrik Fältström
- Re: [dnsext] enough is enough Mark Andrews
- Re: [dnsext] enough is enough Patrik Fältström
- Re: [dnsext] enough is enough Stephane Bortzmeyer