[dnsext] Empty AA=0 AD=1 answers to AAAA queries: your thoughts pls
bert hubert <bert.hubert@netherlabs.nl> Sat, 20 December 2014 12:58 UTC
Return-Path: <ahu@xs.powerdns.com>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B74C1ACEDD for <dnsext@ietfa.amsl.com>; Sat, 20 Dec 2014 04:58:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.39
X-Spam-Level: *
X-Spam-Status: No, score=1.39 tagged_above=-999 required=5 tests=[BAYES_50=0.8, J_CHICKENPOX_62=0.6, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XmxjAJLfnVg4 for <dnsext@ietfa.amsl.com>; Sat, 20 Dec 2014 04:58:10 -0800 (PST)
Received: from xs.powerdns.com (xs.powerdns.com [IPv6:2001:888:2000:1d::2]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A49991ACEDB for <dnsext@ietf.org>; Sat, 20 Dec 2014 04:58:10 -0800 (PST)
Received: from ahu by xs.powerdns.com with local (Exim 4.71) (envelope-from <ahu@xs.powerdns.com>) id 1Y2Jbi-00033Y-3l for dnsext@ietf.org; Sat, 20 Dec 2014 13:58:06 +0100
Date: Sat, 20 Dec 2014 13:58:06 +0100
From: bert hubert <bert.hubert@netherlabs.nl>
To: DNSEXT Group Working <dnsext@ietf.org>
Message-ID: <20141220125805.GB20765@xs.powerdns.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.20 (2009-06-14)
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsext/mMRrvsLvZNOu6coyPoO6nrOKcSI
Subject: [dnsext] Empty AA=0 AD=1 answers to AAAA queries: your thoughts pls
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Dec 2014 12:58:12 -0000
Hi everybody, I have a question if I am right in concluding something is a protocol violation, and if we should reward it by papering it over or (finally) concluding that enough is enough. A few weeks ago we posted this http://mailman.powerdns.com/pipermail/pdns-users/2014-December/011004.html about Microsoft Azure nameservers sending empty answers (AD=1 no less) to AAAA queries. Microsoft has indicated they'll get to addressing this early 2015, by the way (thanks Mehmet). However, we're now seeing more and more of this, for example from the most popular news site in the Netherlands nu.nl: $ dig +trace -t aaaa nu-nl.gslb.sanomaservices.nl. Which ends on: $ dig -t aaaa nu-nl.gslb.sanomaservices.nl. @62.69.175.251 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58444 ;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1280 ;; QUESTION SECTION: ;nu-nl.gslb.sanomaservices.nl. IN AAAA Note that this is the same pattern as Microsoft Azure. But this empty AA=0 answer leads PowerDNS to: nu-nl.gslb.sanomaservices.nl.: Trying IP 62.69.175.251:53 1, asking 'nu-nl.gslb.sanomaservices.nl.|AAAA' nu-nl.gslb.sanomaservices.nl.: Got 0 answers from gslb2.sanomaservices.nl. (62.69.175.251), rcode=0 (No Error), aa=0, in 6ms nu-nl.gslb.sanomaservices.nl.: determining status after receiving this packet nu-nl.gslb.sanomaservices.nl.: status=NS gslb2.sanomaservices.nl. (62.69.175.251) is lame for 'gslb.sanomaservices.nl.', trying sibling IP or NS nu-nl.gslb.sanomaservices.nl.: Failed to resolve via any of the 2 offered NS at level 'gslb.sanomaservices.nl.' nu-nl.gslb.sanomaservices.nl.: failed (res=-1) And this means we send out a SERVFAIL to our client, since all servers are 'lame'. This makes some programs very unhappy. We are (as is any resolver implementor) receiving pressure not to do this, and to paper over this behaviour. There is a workaround available in the URL above. We think the time has to come to say 'no, if you run a non-confirming implementation, you deserve all the pain you get'. But before we make a stand, what do you think? Should we accept empty AA=0 AD=1 answers as "NO ERROR"? Please let us know. Bert
- [dnsext] Empty AA=0 AD=1 answers to AAAA queries:… bert hubert
- Re: [dnsext] Empty AA=0 AD=1 answers to AAAA quer… Mark Andrews
- Re: [dnsext] Empty AA=0 AD=1 answers to AAAA quer… bert hubert
- [dnsext] getting TLDs to fix other people's probl… Jim Reid
- Re: [dnsext] getting TLDs to fix other people's p… Mark Andrews
- Re: [dnsext] getting TLDs to fix other people's p… Lawrence Conroy
- Re: [dnsext] getting TLDs to fix other people's p… Patrik Fältström
- [dnsext] enough is enough bert hubert
- Re: [dnsext] getting TLDs to fix other people's p… Jim Reid
- Re: [dnsext] enough is enough Jim Reid
- Re: [dnsext] enough is enough Patrik Fältström
- Re: [dnsext] Empty AA=0 AD=1 answers to AAAA quer… Alex Bligh
- Re: [dnsext] enough is enough bert hubert
- Re: [dnsext] getting TLDs to fix other people's p… Jay Daley
- Re: [dnsext] enough is enough Mark Andrews
- Re: [dnsext] enough is enough Patrik Fältström
- Re: [dnsext] enough is enough Patrik Fältström
- Re: [dnsext] enough is enough Mark Andrews
- Re: [dnsext] enough is enough Patrik Fältström
- Re: [dnsext] enough is enough Stephane Bortzmeyer