<div dir="ltr">Hi John.<div>A few questions, if I may.</div><div>- Why *must* you forward everything to Akamai?</div><div>- Was that a real example of a daft query: 10.11.12.13 type A? If not, do you have some real examples of queries being made to your servers please?</div><div>- Notwithstanding the nature of these illegal queries, if they *are* illegal (or misguided, or errors, or malicious, or whatever - anything but valid), what's the issue with returning SERVFAIL? GIGO Or does that then prejudice genuine queries, for some reason?</div><div>- Are you *only* forwarding to Akamai?</div><div>- Do you have "forward only;" or "forward first;"?</div><div>- Do Akamai have any knobs you can tweak (I believe they have a customer web portal for viewing/changing settings?) that would make them behave like an RFC compliant DNS server?</div><div><br></div><div>Cheers, Greg</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, 24 Jan 2023 at 21:17, John Thurston <<a href="mailto:john.thurston@alaska.gov">john.thurston@alaska.gov</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>My "resolvers" running BIND 9.18.10 and 9.16.36, accept and
attempt to resolve queries for illegal names. They will cache
answers for these names, and answer from cache when asked. What's
the thinking here? <br>
</p>
<p>I suppose it could be, "The specifications of what is a legal
name may change with time, and we don't want to burden the
resolver code by asking it to validate the string before trying to
resolve it."</p>
<p>This comes up because my "resolvers" don't actually resolve. All
they are allowed to do is forward external queries to Akamai, and
accept the response from Akamai. And Akamai (thank you very much),
is happy to accept queries like "What is the A-record for
10.11.12.13?" and reply with "The answer is 10.11.12.13, and is
good for 10 seconds."</p>
<p>Akamai's explanation for this behavior is, ..." the query was
made in error (likely/maybe meant to be type "PTR") and we are
trying to save the resolver from doing the work a query like this
would entail." <br>
</p>
<p>But what it really means is my validating "resolver" then does
the work of trying to validate the reply it got. It is unable to
do so, and returns a SERVFAIL to the customer.</p>
<p>I haven't yet tried, but I don't expect I can define an RPZ to
trap such illegal names. Can I? If I could, it would reduce the
traffic to Akamai, and the number of validations I'm trying to do.</p>
<p><br>
</p>
<p><br>
</p>
<pre cols="72">--
--
Do things because you should, not just because you can.
John Thurston 907-465-8591
<a href="mailto:John.Thurston@alaska.gov" target="_blank">John.Thurston@alaska.gov</a>
Department of Administration
State of Alaska</pre>
</div>
-- <br>
Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote></div>