Viktor Dukhovni wrote on 2019-11-10 20:32:
...
<https://github.com/PowerDNS/pdns/issues/8150>
Reading that issue it seems that the servers in question return
cached non-authoritative data even when the request has RD=0,
provided some recent RD=1 query brings the data into the cache.
In which case the issue is not *failing* to set AA=1, but rather
a server that is authoritative for some domains and recursive for
others allowing non-authoritative cached data to leak into RD=0
replies.
How common are such servers? Is their behaviour incorrect?
we called this bug "bind8" and before that "bind4", which when operating
in authoritative + recursive mode, because it kept all data no matter
where it came from in a single tree. a decade was spent trying to tag
things to prevent leaks of recursive data into authoritative answers.
the fix was called "bind9" which does not leak in this way.
there's also a general trend to authoritative-only and recursive-only,
rather than doing both in one name server, even though modern name
servers (not just bind9) no longer leak.
--
P Vixie
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
