(no hats except a long-time acquaintance with root server operations) Not sure it helps determine what resolvers should do in anomalous situations, but per Stephane's quasi-question about the "good practice" of root servers being configured as auth-only: "Service Expectations of Root Servers" (https://www.icann.org/en/system/files/files/rssac-001-root-service-expectations-04dec15-en.pdf), cited in RFC 7720 as reference RSSAC-01, does specify that "From a protocol perspective, a Root Server is a DNS name server that provides authoritative-only DNS service for the root zone," and cites RFC 1034. I can't find this directly asserted in RFC 1034 but only spent a few minutes looking.
As a practical matter, I'm OK with a general expectation that if an answer can be validated, the resolver doesn't care if it's non-authoritative.This also suggests that getting a non-authoritative answer where an authoritative answer was expected should perhaps be treated the same way at the root that it's treated anywhere else (it's functionally a lame delegation). What does widely deployed code do? Suzanne On Jan 21, 2016, at 10:07 PM, Paul Hoffman <[email protected]> wrote: > This is the summary of the thread about the following sentence in the section > on priming queries: > > The RD bit MAY be set to 0 or 1, although the meaning of it being set to 1 is > undefined for priming queries. > > There were four replies with what seems like four different takes on it. Can > others in the WG weigh in so we might get consensus? > > --Paul Hoffman > > On 15 Jan 2016, at 2:50, Stephane Bortzmeyer wrote: > >> On Thu, Jan 14, 2016 at 11:09:36AM -0800, >> Paul Hoffman <[email protected]> wrote >> a message of 34 lines which said: >> >>> Setting the RD bit to 1 could result in non-authoritative answers. >> >> Today, all root name servers are not recursive. It seems good >> practice, even if I'm not sure it's formally written somewhere (I do >> not find it in RFC 7720). >> >>> If the response to a priming query is non-authoritative, should the >>> resolver reject it and try more queries? >> >> I would say yes, since it is supposed to be sent to authoritative >> servers. >> >> If a name server is deprecated and replaced by a resolver, not >> authoritative for the root, I tend to think that its response cannot >> be trusted. > > > > On 15 Jan 2016, at 5:03, Tony Finch wrote: > >> Paul Hoffman <[email protected]> wrote: >>> >>> If the response to a priming query is non-authoritative, should the >>> resolver reject it and try more queries? Or is it OK for a priming >>> response to be non-authoritative? >> >> If you are unlucky enough to be on a network that intercepts DNS queries >> and diverts them to a recursive server, you are likely to get RA=1 AA=0 >> answers to priming queries. Your resolver ought to soldier on as best it >> can in this situation. > > > On 15 Jan 2016, at 5:59, Stephane Bortzmeyer wrote: > >> On Fri, Jan 15, 2016 at 01:03:41PM +0000, >> Tony Finch <[email protected]> wrote >> a message of 22 lines which said: >> >>> If you are unlucky enough to be on a network that intercepts DNS >>> queries and diverts them to a recursive server, you are likely to >>> get RA=1 AA=0 answers to priming queries. Your resolver ought to >>> soldier on as best it can in this situation. >> >> If the resolver validates with DNSSEC, it may go on in such a case. If >> it doesn't, I'm tempted to say that it should give in and tell the >> sysadmin that it cannot do its job properly and safely. >> >> At the very minimum, such problem should be escalated to the sysadmin. > > > > > On 15 Jan 2016, at 9:52, Darcy Kevin (FCA) wrote: > >> It's not really a "normal" query, in the sense that it's not coming from a >> stub resolver, typically, and the initiator wouldn't normally assume that >> recursion is required to fetch the answer. >> >> So, in the typical case I'd expect RD=0. >> >> Not sure that the "although" verbiage below really adds any value, though. >> If you've already declared that something is a "MAY", what's the practical >> effect of then saying that its meaning is "undefined"? Either it's allowable >> per the standard or it's not. >> > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
