On Mon, Mar 9, 2015 at 2:55 PM, Shumon Huque <shu...@gmail.com> wrote:
> On Mon, Mar 9, 2015 at 2:45 PM, Robert Edmonds <edmo...@mycre.ws> wrote: > >> Shumon Huque wrote: >> > PS. regarding Paul Vixie's recent suggestion of adding an AAAA or A >> record >> > set in the additional section for a corresponding A or AAAA query, I >> just >> > learned today that Unbound already does this. Not sure if there are any >> DNS >> > client APIs that can successfully make use of this info yet. >> >> Hi, Shumon: >> >> Do you mean that Unbound will accept such answers from servers, or that >> it will send such answers to clients, or both? >> > > This was from a transcript of a 'dig' session to an unbound resolver - so > this is unbound sending responses back to clients. I'm not sure if it > accepts such answers from queries to authority servers, nor do I know if > there are any authority servers that return such responses. > > >> I just tried querying an Unbound 1.5.2 server for a cached, signed pair >> of A/AAAA records and I don't believe Unbound sends such answers to >> clients, at least not by default. >> > > Hmm, let me double check the details of the configuration and get back to > you. From the discussion with the colleagues that are running this server, > it sounded like it was the default, but perhaps some configuration knob > needs to be tweaked. > Upon closer inspection, it looks like I was mistaken. I was misled by the following output which coincidentally looks like gratuitous AAAA in the additional section: $ dig @N.N.N.N getdnsapi.net A +ignore +sit='b1c18d3e4328485cfe63a64b54fdf6a106f0e2e550919fa3' ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52975 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; SIT: b1c18d3e4328485c43b55e7954fdfd02f2cd44ce05415c15 (good) ;; QUESTION SECTION: ;getdnsapi.net. IN A ;; ANSWER SECTION: getdnsapi.net. 450 IN A 185.49.141.37 ;; AUTHORITY SECTION: getdnsapi.net. 450 IN NS getdnsapi.net. getdnsapi.net. 450 IN NS mcvax.nlnet.nl. getdnsapi.net. 450 IN NS dicht.nlnetlabs.nl. ;; ADDITIONAL SECTION: getdnsapi.net. 450 IN AAAA 2a04:b900:0:100::37 When in fact it's probably just unbound helpfully adding an AAAA corresponding to one of the NS names in the authority section. The resolver (actually identity masked) is at NLNetlabs (the unbound folks), so I was thinking this might possibly be some special code or configuration in one of their servers, but the actual explanation seems to be more benign. Shumon Huque
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
