Query on ignoring additional section returned in replies

Mike Hoskins (michoski) michoski at cisco.com
Wed Nov 18 16:10:59 UTC 2015

On 11/18/15, 10:47 AM, "bind-users-bounces at lists.isc.org on behalf of
Barry Margolin" <bind-users-bounces at lists.isc.org on behalf of
barmar at alum.mit.edu> wrote:

>In article <mailman.2958.1447847777.26362.bind-users at lists.isc.org>,
> Reindl Harald <h.reindl at thelounge.net> wrote:
>> when a result looks like below it needs to be fixed and "Are there any
>> BIND specific workarounds?" is the wrong question becaus even if - the
>> domain owner is not in the position to place workarounds somewhere else
>While that's the pedantically correct answer, in practice it doesn't
>work well when your users complain "Google DNS deals with it, why don't
>you?" Your users don't care what happens to people somewhere else, they
>just want to get their work done.
>Google understands that there are lots of broken DNS configurations out
>there, but their users don't want to hear that it's someone else's fault.

Yes, exactly.  Having spent a few decades wearing the DNS admin hat in
environments with large user bases, I'd be rich if I had a few cents for
all the times I've spent "digging" around to prove it's not "our" problem
but modern users don't care when they can just use Google DNS and it works

"It's an upstream issue Google is just working around."

"OK, so why can't you?"

Following up with the remote admins to fix the issue is often a joke, this
isn't the early Internet where most people had a clue, cared, listened to
zone contact mailboxes, or were enabled to make timely changes (in all
fairness with many orgs).  :-)

The upstream brokenness comes in various forms so there's no
one-size-fits-all, but for what it's worth to the OP some sites that gave
us issues in 9.9.x seems to work in 9.10.x after we explicitly changed
dnssec-validation to auto.  Can't fully explain that, but we literally had
queries running in a loop against google, 9.9.x and 9.10.x while we
twiddled different things and zones with upstream issues like this would
not resolve via 9.9.x but started working fine with 9.10.x.

More information about the bind-users mailing list