Broken DNS QNAME Recovery
Crist Clark
cjc+bind-users at pumpky.net
Fri Apr 19 06:12:53 UTC 2024
First, yes, I know. Their DNS is broken. They should fix their DNS. We
shouldn't need to make QNAME-minimization work around broken DNS.
Name and shame a domain name in question,
e1083.d.akamaiedge.akamai.csd.disa.mil
The problem I see: akamai.csd.disa.mil is a delegated zone. All four name
servers for the zone are in the zone. All four of the addresses in the
parent's glue are unresponsive. It's actually the same for
d.akamaiedge.akamai.csd.disa.mil too.
That is breaking resolution for BIND 9.18 servers with default
qname-minimization. If qname-minimization is set "off", it works. That's
because the disa.mil NSes will respond with the answer for that full name.
We never go farther up the name to try to find the non-responsive NS
servers.
(And yes, the DNS "authoritative" servers here are questionable too. The
TTLs look like they are caching answers, but all of the responses have AA
set.)
Does that assessment look correct? I know BIND defaults to "relaxed" QNAME
minimization. It works around certain cases of brokeness. I guess this is
not one of them? Should it be? It's a case where things work without
minimization. The brokeness is hidden for non-minimizing resolvers.
Again, yeah, they are broken. They should fix it, but it broke someone's
Very Important Work at our shop. And it used to work and it works from home
and for other customers so it must be our DNS that's broken. So we end up
setting "qname-minimization off" globally despite the fact they are really
the broken ones. We'd rather keep minimization on, but it's the only
reasonable work around we could find.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240418/64dbbdd6/attachment.htm>
More information about the bind-users
mailing list