Resolving and caching illegal names

Greg Choules gregchoules+bindusers at googlemail.com
Wed Jan 25 07:26:51 UTC 2023 

Hi John.
A few questions, if I may.
- Why *must* you forward everything to Akamai?
- Was that a real example of a daft query: 10.11.12.13 type A? If not, do
you have some real examples of queries being made to your servers please?
- Notwithstanding the nature of these illegal queries, if they *are*
illegal (or misguided, or errors, or malicious, or whatever - anything but
valid), what's the issue with returning SERVFAIL? GIGO Or does that then
prejudice genuine queries, for some reason?
- Are you *only* forwarding to Akamai?
- Do you have "forward only;" or "forward first;"?
- Do Akamai have any knobs you can tweak (I believe they have a customer
web portal for viewing/changing settings?) that would make them behave like
an RFC compliant DNS server?

Cheers, Greg


On Tue, 24 Jan 2023 at 21:17, John Thurston <john.thurston at alaska.gov>
wrote:

> My "resolvers" running BIND 9.18.10 and 9.16.36, accept and attempt to
> resolve queries for illegal names. They will cache answers for these names,
> and answer from cache when asked. What's the thinking here?
>
> I suppose it could be, "The specifications of what is a legal name may
> change with time, and we don't want to burden the resolver code by asking
> it to validate the string before trying to resolve it."
>
> This comes up because my "resolvers" don't actually resolve. All they are
> allowed to do is forward external queries to Akamai, and accept the
> response from Akamai. And Akamai (thank you very much), is happy to accept
> queries like "What is the A-record for 10.11.12.13?" and reply with "The
> answer is 10.11.12.13, and is good for 10 seconds."
>
> Akamai's explanation for this behavior is, ..." the query was made in
> error (likely/maybe meant to be type "PTR") and we are trying to save the
> resolver from doing the work a query like this would entail."
>
> But what it really means is my validating "resolver" then does the work of
> trying to validate the reply it got. It is unable to do so, and returns a
> SERVFAIL to the customer.
>
> I haven't yet tried, but I don't expect I can define an RPZ to trap such
> illegal names. Can I? If I could, it would reduce the traffic to Akamai,
> and the number of validations I'm trying to do.
>
>
>
> --
> --
> Do things because you should, not just because you can.
>
> John Thurston    907-465-8591John.Thurston at alaska.gov
> Department of Administration
> State of Alaska
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230125/dda8ba50/attachment.htm>

More information about the bind-users mailing list