PATCH: dig warn user when querying ANY towards recursive server (fwd)
kcd at chrysler.com
Mon Jul 23 22:23:07 UTC 2012
On 7/22/2012 7:27 PM, Andris Kalnozols wrote:
> On 7/22/2012 10:19 AM, Paul Wouters wrote:
>> (I don't think this made it to the list before, mixup of email
>> Please consider including this patch,
>> ---------- Forwarded message ----------
>> Date: Mon, 2 Jul 2012 17:45:08
>> From: Paul Wouters <paul at nohats.ca>
>> Cc: Paul Vixie <paul at redbarn.org>
>> To: bind-users at lists.isc.org
>> Subject: PATCH: dig warn user when querying ANY towards recursive server
>> As recently came up, when querying a recursive caching server for ANY
>> will only result on cached entries being returned, and not the whole
>> possible set. For that you need to query the authoritative server.
>> I wasn't aware of this, and since I'm sure I'll forget about this again
>> too, I wrote a patch for dig to remind me. Please apply :)
> Don't forget that recursive servers can also host the zone being
> queried. Testing for the "aa" flag makes the message more accurate.
>> if ((query->lookup->rdtype ==
>> dns_rdatatype_any) &&
>> ((msg->flags & DNS_MESSAGEFLAG_RA) != 0) &&
>> (msg->flags & DNS_MESSAGEFLAG_AA) == 0)
>> printf("\n\n;; WARNING: Requested ANY
>> data "
>> "from a non-authoritative
>> recursive "
>> "server.\n;; The
>> cached answer "
>> "might be incomplete.\n\n");
The DNS_MESSAGEFLAG_AA conditional should completely replace the
DNS_MESSAGEFLAG_RA conditional, since it's perfectly valid to deny
recursion to a particular client (RA=0), while at the same time allowing
it to access cached data -- Samba: An Introduction which might be an
incomplete nameset and therefore should prompt the warning -- built up
by other clients which are allowed to recurse from the same nameserver
instance. The only thing that really matters is the AA flag.
More information about the bind-users