Viktor Dukhovni wrote on 2019-11-12 15:26:
On Nov 12, 2019, at 2:32 PM, Paul Vixie <[email protected]> wrote:
In context, the leak I was talking about was the use of recursive data
in authoritative answers, coming from servers configured for both.
Can you be more explicit about what you mean by "in authoritative
answers"? Do you mean answers to queries with "RD=0", or answers
with "AA=1"?
ideally, RD=0 would access only authority data, including glue for
delegations; RD=1 would access only recursively fetched data. this calls
for a virtual query in some delegation-point cases (like a virtual
particle in a feinman diagram) where authoritative data is transferred
into the recursive view exactly as if half of the server had queried the
other half. once copied into the recursive view, its TTL would begin to
tick down normally. RD=0 would always align with AA=1, and RD=1 would
always align with AA=0.
It seems that a dual-mode BIND9 server does return recursive data
in answer to queries with "RD=0", but such answers then also have
"AA=0".
sounds like a bug, some of which did slip through BIND9's cracks.
--
P Vixie
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
