Re: [Pdns-users] PowerDNS recursor stripping AA bit from forwarded responses

[Julian Mehnle]

Bert,

bert hubert  wrote:

> Resolvers rarely if ever send out AA=1 answers. If you literally want to
> forward packets, dnsdist may be a better choice.
> 
> Is the current behaviour causing you problems? If so can you tell us about
> those problems?

I can probably use dnsdist (I only just learned about it today), but given the 
description of the recursor's forward-zones option I assumed it was meant to 
"delegate" certain zones to authoritative servers, and I would've expected it 
to pass through the AA=1 bits coming back from such an authoritative server.

To explain what I'm trying to do: I want to serve a zone of dynamic A records 
referenced from SPF records with "exists:%{i}" mechanisms from a little custom 
DNS server, but I want to front this server with something that I trust to 
implement the DNS protocol robustly and securely. So I'll give dnsdist a try 
next.

Thanks!

-Julian



signature.asc
Description: Message signed with OpenPGP
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS recursor stripping AA bit from forwarded responses

[bert hubert]

On Thu, Feb 22, 2018 at 03:32:31PM -0800, Julian Mehnle wrote:
> If I set it up this way, all the responses coming back to the recursor are
> having their AA bits stripped (set to 0) (presumably by this code
> 
> when forwarded back to the client.  Is this intentional?  Would it make
> sense to leave the AA bit alone when forwarding back authoritative
> responses?  If not, why not?

Julian,

Resolvers rarely if ever send out AA=1 answers. If you literally want to
forward packets, dnsdist may be a better choice. 

Is the current behaviour causing you problems? If so can you tell us about
those problems?

Thanks.

Bert
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS recursor stripping AA bit from forwarded responses

[Julian Mehnle]

Hi there!

https://doc.powerdns.com/recursor/settings.html#forward-zones 
 states:

> Forwarded queries have the ‘recursion desired’ bit set to 0, meaning that 
> this setting is intended to forward queries to authoritative servers.

If I set it up this way, all the responses coming back to the recursor are 
having their AA bits stripped (set to 0) (presumably by this code 
  when 
forwarded back to the client. Is this intentional? Would it make sense to leave 
the AA bit alone when forwarding back authoritative responses? If not, why not?

-Julian Mehnle



signature.asc
Description: Message signed with OpenPGP
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users