Bind/Named 9.9 auth-nxdomain question

Mark Andrews marka at isc.org
Fri Nov 10 21:05:30 UTC 2017


> On 11 Nov 2017, at 3:38 am, Tony Finch <dot at dotat.at> wrote:
> 
> Filipe Cifali <cifali at kinghost.com.br> wrote:
>> 
>> I'm trying to have an Auth Server that says the auth flags ('aa') even on
>> NXDOMAIN.
> 
> BIND (well, all DNS servers) have to do that. It doesn't need to be
> configured. See the first example dig output below.
> 
> However the example query in your first message did not seem to match what
> you are asking for. You were querying for a domain for which your server
> was not authoritative, so it tried to recurse, but failed (some kind of
> firewall?). Usually on an auth-only server you should disable recursion,
> so your example query would return REFUSED. See the second example dig
> output below.
> 
> 
>> This is what the auth-nxdomain should do I suppose.
> 
> No, auth-nxdomain incorrectly sets the AA bit on non-authoritative
> recursive answers, for bug compatibility with BIND 8.

More correctly it has to do with RFC 103[45] where NXDOMAIN is not to
be accepted without the AA bit being set to 1 which make it impossible to
return NXDOMAIN from a cache.  This is a specification error.  Some
clients, 2 decades ago, rejected NXDOMAIN without AA being set.  This
flag was to allow the recursive server to interoperate with them.

> 
> 
> ; <<>> DiG 9.12.0b1 <<>> +multiline +noedns +norec nxdomain.cam.ac.uk @authdns0.csx.cam.ac.uk
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 35951
> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;nxdomain.cam.ac.uk.    IN A
> 
> ;; AUTHORITY SECTION:
> cam.ac.uk.              3600 IN SOA ipreg.csi.cam.ac.uk. hostmaster.cam.ac.uk. (
>                                1510329268 ; serial
>                                1800       ; refresh (30 minutes)
>                                900        ; retry (15 minutes)
>                                604800     ; expire (1 week)
>                                3600       ; minimum (1 hour)
>                                )
> 
> ;; Query time: 1 msec
> ;; SERVER: 2001:630:212:8::d:a0#53(2001:630:212:8::d:a0)
> ;; WHEN: Fri Nov 10 16:27:05 GMT 2017
> ;; MSG SIZE  rcvd: 93
> 
> 
> ; <<>> DiG 9.12.0b1 <<>> +multiline +noedns +norec notauth @authdns0.csx.cam.ac.uk
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 53652
> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;notauth.               IN A
> 
> ;; Query time: 0 msec
> ;; SERVER: 2001:630:212:8::d:a0#53(2001:630:212:8::d:a0)
> ;; WHEN: Fri Nov 10 16:34:11 GMT 2017
> ;; MSG SIZE  rcvd: 25
> 
> 
> Tony.
> -- 
> f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
> Viking, North Utsire: Northwesterly 6 to gale 8, decreasing 5 for a time. Very
> rough, occasionally high in north. Showers. Good.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org



More information about the bind-users mailing list