Bind/Named 9.9 auth-nxdomain question

Filipe Cifali cifali at kinghost.com.br
Mon Nov 13 11:23:50 UTC 2017 

On 11/10/2017 07:05 PM, Mark Andrews wrote:
>> On 11 Nov 2017, at 3:38 am, Tony Finch <dot at dotat.at> wrote:
>>
>> Filipe Cifali <cifali at kinghost.com.br> wrote:
>>> I'm trying to have an Auth Server that says the auth flags ('aa') even on
>>> NXDOMAIN.
>> BIND (well, all DNS servers) have to do that. It doesn't need to be
>> configured. See the first example dig output below.
>>
>> However the example query in your first message did not seem to match what
>> you are asking for. You were querying for a domain for which your server
>> was not authoritative, so it tried to recurse, but failed (some kind of
>> firewall?). Usually on an auth-only server you should disable recursion,
>> so your example query would return REFUSED. See the second example dig
>> output below.
>>
>>
>>> This is what the auth-nxdomain should do I suppose.
>> No, auth-nxdomain incorrectly sets the AA bit on non-authoritative
>> recursive answers, for bug compatibility with BIND 8.
> More correctly it has to do with RFC 103[45] where NXDOMAIN is not to
> be accepted without the AA bit being set to 1 which make it impossible to
> return NXDOMAIN from a cache.  This is a specification error.  Some
> clients, 2 decades ago, rejected NXDOMAIN without AA being set.  This
> flag was to allow the recursive server to interoperate with them.

Thanks, I understand now how it is supposed to be used.

Is there a way for me to help clear up the docs? I don't think I should 
fill a "bug" report about this.

>>
>> ; <<>> DiG 9.12.0b1 <<>> +multiline +noedns +norec nxdomain.cam.ac.uk @authdns0.csx.cam.ac.uk
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 35951
>> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;nxdomain.cam.ac.uk.    IN A
>>
>> ;; AUTHORITY SECTION:
>> cam.ac.uk.              3600 IN SOA ipreg.csi.cam.ac.uk. hostmaster.cam.ac.uk. (
>>                                 1510329268 ; serial
>>                                 1800       ; refresh (30 minutes)
>>                                 900        ; retry (15 minutes)
>>                                 604800     ; expire (1 week)
>>                                 3600       ; minimum (1 hour)
>>                                 )
>>
>> ;; Query time: 1 msec
>> ;; SERVER: 2001:630:212:8::d:a0#53(2001:630:212:8::d:a0)
>> ;; WHEN: Fri Nov 10 16:27:05 GMT 2017
>> ;; MSG SIZE  rcvd: 93
>>
>>
>> ; <<>> DiG 9.12.0b1 <<>> +multiline +noedns +norec notauth @authdns0.csx.cam.ac.uk
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 53652
>> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;notauth.               IN A
>>
>> ;; Query time: 0 msec
>> ;; SERVER: 2001:630:212:8::d:a0#53(2001:630:212:8::d:a0)
>> ;; WHEN: Fri Nov 10 16:34:11 GMT 2017
>> ;; MSG SIZE  rcvd: 25
>>
>>
>> Tony.
>> -- 
>> f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
>> Viking, North Utsire: Northwesterly 6 to gale 8, decreasing 5 for a time. Very
>> rough, occasionally high in north. Showers. Good.
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users

-- 

................................................................................................................................................................................................... 

<https://www.kinghost.com.br> 	
	
	Filipe Cifali Stangler| ANALISTA DE INFRAESTRUTURA
cifali at kinghost.com.br <mailto:cifali at kinghost.com.br> | 
www.kinghost.com.br <https://www.kinghost.com.br>
Tire suas dúvidas gratuitamente: *0800.881.5464*
Capitais e polos regionais: *4003.5464*
Atendimento fora do Brasil e Celulares: *(51) 3301.5464*


banner - email <http://kingho.st/assinatura>
Este e-mail e seus anexos são confidenciais e podem conter informações 
privilegiadas ou protegidas contra
divulgação e/ou reprodução. Se você não é o destinatário identificado 
acima, por favor, apague esta mensagem
de seu sistema e notifique o remetente imediatamente.

This e-mail message or any attachment thereto are confidential and may 
be privileged or otherwise protected
from disclosure and/or reproduction. If you are not intendet recipient, 
please delete it from your system and
notify the sender immediately.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20171113/1af9e0d3/attachment.html>

More information about the bind-users mailing list