Bind/Named 9.9 auth-nxdomain question
Mark Andrews
marka at isc.org
Fri Nov 10 21:05:30 UTC 2017
> On 11 Nov 2017, at 3:38 am, Tony Finch <dot at dotat.at> wrote:
>
> Filipe Cifali <cifali at kinghost.com.br> wrote:
>>
>> I'm trying to have an Auth Server that says the auth flags ('aa') even on
>> NXDOMAIN.
>
> BIND (well, all DNS servers) have to do that. It doesn't need to be
> configured. See the first example dig output below.
>
> However the example query in your first message did not seem to match what
> you are asking for. You were querying for a domain for which your server
> was not authoritative, so it tried to recurse, but failed (some kind of
> firewall?). Usually on an auth-only server you should disable recursion,
> so your example query would return REFUSED. See the second example dig
> output below.
>
>
>> This is what the auth-nxdomain should do I suppose.
>
> No, auth-nxdomain incorrectly sets the AA bit on non-authoritative
> recursive answers, for bug compatibility with BIND 8.
More correctly it has to do with RFC 103[45] where NXDOMAIN is not to
be accepted without the AA bit being set to 1 which make it impossible to
return NXDOMAIN from a cache. This is a specification error. Some
clients, 2 decades ago, rejected NXDOMAIN without AA being set. This
flag was to allow the recursive server to interoperate with them.
>
>
> ; <<>> DiG 9.12.0b1 <<>> +multiline +noedns +norec nxdomain.cam.ac.uk @authdns0.csx.cam.ac.uk
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 35951
> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;nxdomain.cam.ac.uk. IN A
>
> ;; AUTHORITY SECTION:
> cam.ac.uk. 3600 IN SOA ipreg.csi.cam.ac.uk. hostmaster.cam.ac.uk. (
> 1510329268 ; serial
> 1800 ; refresh (30 minutes)
> 900 ; retry (15 minutes)
> 604800 ; expire (1 week)
> 3600 ; minimum (1 hour)
> )
>
> ;; Query time: 1 msec
> ;; SERVER: 2001:630:212:8::d:a0#53(2001:630:212:8::d:a0)
> ;; WHEN: Fri Nov 10 16:27:05 GMT 2017
> ;; MSG SIZE rcvd: 93
>
>
> ; <<>> DiG 9.12.0b1 <<>> +multiline +noedns +norec notauth @authdns0.csx.cam.ac.uk
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 53652
> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;notauth. IN A
>
> ;; Query time: 0 msec
> ;; SERVER: 2001:630:212:8::d:a0#53(2001:630:212:8::d:a0)
> ;; WHEN: Fri Nov 10 16:34:11 GMT 2017
> ;; MSG SIZE rcvd: 25
>
>
> Tony.
> --
> f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
> Viking, North Utsire: Northwesterly 6 to gale 8, decreasing 5 for a time. Very
> rough, occasionally high in north. Showers. Good.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list