dig +norecurse behaviour changed with 9.16.33
Petr Špaček
pspacek at isc.org
Thu Oct 27 13:15:39 UTC 2022
Hello,
please see answer in-line:
On 27. 10. 22 14:28, Veronique Lefebure wrote:
> (*) On an external DNS server you can try with the following similar case:
>
> Running DiG 9.11.21 on a linux client
> ext-dns-1 (192.65.187.5) runs BIND9.16:
> dig @ext-dns-1 foundservices.cern.ch | grep flags | grep ANSWER
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
> dig @ext-dns-1 foundservices.cern.ch *+norecurse* | grep flags | grep
> ANSWER
> ;; flags: qr aa ra; QUERY: 1, ANSWER: *1*, AUTHORITY: 0, ADDITIONAL: 1
> Full output:
> dig @192.65.187.5 foundservices.cern.ch +norecurse
> ; <<>> DiG 9.11.21 <<>> @192.65.187.5 foundservices.cern.ch +norecurse
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9899
> ;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
Please note that your output above contains "ra" flag - Recursion
Available. That one should be set only when talking to a resolver which
can chase down indirection as needed.
I'm getting different answer when I ask from my machine:
$ dig @192.65.187.5 foundservices.cern.ch | grep flags | grep ANSWER
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
Most importantly, no "ra" flag is listed here.
This can be either a configuration thing (an ACL which allows recursion
for your source address but not mine), or something messing with packets
on network level.
It's hard to say what is going on when we can't see configs and can't
access the servers.
In case sharing real configs & zones on this mailing list is not an
option then there are two possible ways forward:
1. Reproduce the problem by recreating minimal working configuration &
zone data to demonstrate the exact behavior using only the data which
can be shared.
2. Get commercial support with NDA in place. With that in place we could
hopefully be allowed to see everything we need. Please see
https://www.isc.org/support/ for more details.
> Greg, can I send you a pcap file in a private email ?
I'm not Greg, but please don't e-mail us privately.
https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/
applies here as well.
--
Petr Špaček
More information about the bind-users
mailing list