Named behaves as a authoritative server for RD=0 queries in
mixed mode if it is serving a enclosing zone. Below is a recursive
query followed by a non-recursive query for the same name to the
same instance of named configured to serve the root zone.
[beetle:~/git/bind9] marka% dig -p 5333 isc.org
; <<>> DiG 9.15.4+hotspot+add-prefetch+marka <<>> -p 5333 isc.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26993
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: d1efb6b27cf32bc2010000005dcb4b983bb2e3dd23cf608b (good)
;; QUESTION SECTION:
;isc.org. IN A
;; ANSWER SECTION:
isc.org. 60 IN A 149.20.1.66
;; Query time: 277 msec
;; SERVER: 127.0.0.1#5333(127.0.0.1)
;; WHEN: Wed Nov 13 11:17:28 AEDT 2019
;; MSG SIZE rcvd: 80
[beetle:~/git/bind9] marka% dig -p 5333 isc.org +norec
; <<>> DiG 9.15.4+hotspot+add-prefetch+marka <<>> -p 5333 isc.org +norec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44832
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 13
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: df9a3450addc5ae3010000005dcb4b9f7b6c9cf4990c2df0 (good)
;; QUESTION SECTION:
;isc.org. IN A
;; AUTHORITY SECTION:
org. 172800 IN NS a0.org.afilias-nst.info.
org. 172800 IN NS d0.org.afilias-nst.org.
org. 172800 IN NS b0.org.afilias-nst.org.
org. 172800 IN NS b2.org.afilias-nst.org.
org. 172800 IN NS c0.org.afilias-nst.info.
org. 172800 IN NS a2.org.afilias-nst.info.
;; ADDITIONAL SECTION:
d0.org.afilias-nst.org. 172800 IN A 199.19.57.1
c0.org.afilias-nst.info. 172800 IN A 199.19.53.1
b2.org.afilias-nst.org. 172800 IN A 199.249.120.1
b0.org.afilias-nst.org. 172800 IN A 199.19.54.1
a2.org.afilias-nst.info. 172800 IN A 199.249.112.1
a0.org.afilias-nst.info. 172800 IN A 199.19.56.1
d0.org.afilias-nst.org. 172800 IN AAAA 2001:500:f::1
c0.org.afilias-nst.info. 172800 IN AAAA 2001:500:b::1
b2.org.afilias-nst.org. 172800 IN AAAA 2001:500:48::1
b0.org.afilias-nst.org. 172800 IN AAAA 2001:500:c::1
a2.org.afilias-nst.info. 172800 IN AAAA 2001:500:40::1
a0.org.afilias-nst.info. 172800 IN AAAA 2001:500:e::1
;; Query time: 0 msec
;; SERVER: 127.0.0.1#5333(127.0.0.1)
;; WHEN: Wed Nov 13 11:17:35 AEDT 2019
;; MSG SIZE rcvd: 469
[beetle:~/git/bind9] marka% cat xxx.conf
options {
listen-on port 5333 { 127.0.0.1; };
listen-on-v6 { none; };
};
zone "." {
type master;
file "root.db";
};
[beetle:~/git/bind9] marka%
> On 13 Nov 2019, at 10:26, Viktor Dukhovni <[email protected]> wrote:
>
>> On Nov 12, 2019, at 2:32 PM, Paul Vixie <[email protected]> wrote:
>>
>> In context, the leak I was talking about was the use of recursive data
>> in authoritative answers, coming from servers configured for both.
>
> Can you be more explicit about what you mean by "in authoritative
> answers"? Do you mean answers to queries with "RD=0", or answers
> with "AA=1"?
>
> It seems that a dual-mode BIND9 server does return recursive data
> in answer to queries with "RD=0", but such answers then also have
> "AA=0".
>
> --
> Viktor.
>
> _______________________________________________
> dns-operations mailing list
> [email protected]
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [email protected]
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
