> On 11 Nov 2017, at 3:38 am, Tony Finch <d...@dotat.at> wrote: > > Filipe Cifali <cif...@kinghost.com.br> wrote: >> >> I'm trying to have an Auth Server that says the auth flags ('aa') even on >> NXDOMAIN. > > BIND (well, all DNS servers) have to do that. It doesn't need to be > configured. See the first example dig output below. > > However the example query in your first message did not seem to match what > you are asking for. You were querying for a domain for which your server > was not authoritative, so it tried to recurse, but failed (some kind of > firewall?). Usually on an auth-only server you should disable recursion, > so your example query would return REFUSED. See the second example dig > output below. > > >> This is what the auth-nxdomain should do I suppose. > > No, auth-nxdomain incorrectly sets the AA bit on non-authoritative > recursive answers, for bug compatibility with BIND 8.
More correctly it has to do with RFC 103[45] where NXDOMAIN is not to be accepted without the AA bit being set to 1 which make it impossible to return NXDOMAIN from a cache. This is a specification error. Some clients, 2 decades ago, rejected NXDOMAIN without AA being set. This flag was to allow the recursive server to interoperate with them. > > > ; <<>> DiG 9.12.0b1 <<>> +multiline +noedns +norec nxdomain.cam.ac.uk > @authdns0.csx.cam.ac.uk > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 35951 > ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;nxdomain.cam.ac.uk. IN A > > ;; AUTHORITY SECTION: > cam.ac.uk. 3600 IN SOA ipreg.csi.cam.ac.uk. > hostmaster.cam.ac.uk. ( > 1510329268 ; serial > 1800 ; refresh (30 minutes) > 900 ; retry (15 minutes) > 604800 ; expire (1 week) > 3600 ; minimum (1 hour) > ) > > ;; Query time: 1 msec > ;; SERVER: 2001:630:212:8::d:a0#53(2001:630:212:8::d:a0) > ;; WHEN: Fri Nov 10 16:27:05 GMT 2017 > ;; MSG SIZE rcvd: 93 > > > ; <<>> DiG 9.12.0b1 <<>> +multiline +noedns +norec notauth > @authdns0.csx.cam.ac.uk > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 53652 > ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;notauth. IN A > > ;; Query time: 0 msec > ;; SERVER: 2001:630:212:8::d:a0#53(2001:630:212:8::d:a0) > ;; WHEN: Fri Nov 10 16:34:11 GMT 2017 > ;; MSG SIZE rcvd: 25 > > > Tony. > -- > f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode > Viking, North Utsire: Northwesterly 6 to gale 8, decreasing 5 for a time. Very > rough, occasionally high in north. Showers. Good. > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users