Configuration advice for a post-8020 world

Woodworth, John R John.Woodworth at CenturyLink.com
Sun Feb 12 11:09:36 UTC 2017


All,

I am asking for advice/ comments/ best-practices for bind
configuration and zone RRs to avoid potential issues with
Empty Non-Terminal (ENT) domain names.

Before continuing, I feel I must point out I am a big fan
of improvements in network and protocol efficiency
including RFC-8020. I also feel the authors did an excellent
job of identifying potential critical regions and agree with
their cost-benefit analysis.

Having said that, I downloaded the latest bind (9.11.0-P3),
set up a couple sample zones and ran the test outlined below.

SAMPLE ZONES:
101{redacted}.com.              (REAL ZONE FILE)
jwjw.sales.101{redacted}.com.   (REAL ZONE FILE)

**
NOTE: This is not intended to be commentary on "blah blah bind's
**    defective clairvoyance module blah blah blah" but rather
**    how a zone/ bind admin can best prepare for this scenario
**

TESTING:
I ran a very simple test where I had 2 valid zones with an ENT
between them.  If I understand RFC-8020 correctly, they have
formalized the response of an ENT to RCODE=NOERROR and an empty
ANSWER section.

By querying the ENT "sales.101{redacted}.com." all descendants
(including the legitimate one "jwjw.sales.101{redacted}.com.")
would be effectively "cut" creating a temporary outage (Section 5).

My questions are:
  * Did I include an error/ use bad logic in the test itself?
  * Aside from stubbing out every ENT, what can be done to mitigate/
    minimize this scenario?
  * Are there any features I am overlooking which could help in
    this case?
  * For those with customers that cannot upgrade to latest bind,
    how far back will these solutions work?  (9.2.3rc1 -- 9.4.0a0)?


TEST DETAILS:
--
#> dig @127.0.0.1 101{redacted}.com.

; <<>> DiG 9.11.0-P3 <<>> @127.0.0.1 101{redacted}.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47566
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 6
;; WARNING: recursion requested but not available
...

--
#> dig @127.0.0.1 sales.101{redacted}.com.
; <<>> DiG 9.11.0-P3 <<>> @127.0.0.1 sales.101{redacted}.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2264
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
...

--
#> dig @127.0.0.1 jwjw.sales.101{redacted}.com.
; <<>> DiG 9.11.0-P3 <<>> @127.0.0.1 jwjw.sales.101{redacted}.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25145
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 6
;; WARNING: recursion requested but not available
...


Thanks,
John


-- THESE ARE THE DROIDS TO WHOM I REFER:
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.



More information about the bind-users mailing list