Re: Bind/Named 9.9 auth-nxdomain question

Fri, 10 Nov 2017 08:40:04 -0800 

Filipe Cifali <cif...@kinghost.com.br> wrote:
>
> I'm trying to have an Auth Server that says the auth flags ('aa') even on
> NXDOMAIN.

BIND (well, all DNS servers) have to do that. It doesn't need to be
configured. See the first example dig output below.

However the example query in your first message did not seem to match what
you are asking for. You were querying for a domain for which your server
was not authoritative, so it tried to recurse, but failed (some kind of
firewall?). Usually on an auth-only server you should disable recursion,
so your example query would return REFUSED. See the second example dig
output below.


> This is what the auth-nxdomain should do I suppose.

No, auth-nxdomain incorrectly sets the AA bit on non-authoritative
recursive answers, for bug compatibility with BIND 8.


; <<>> DiG 9.12.0b1 <<>> +multiline +noedns +norec nxdomain.cam.ac.uk 
@authdns0.csx.cam.ac.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 35951
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;nxdomain.cam.ac.uk.    IN A

;; AUTHORITY SECTION:
cam.ac.uk.              3600 IN SOA ipreg.csi.cam.ac.uk. hostmaster.cam.ac.uk. (
                                1510329268 ; serial
                                1800       ; refresh (30 minutes)
                                900        ; retry (15 minutes)
                                604800     ; expire (1 week)
                                3600       ; minimum (1 hour)
                                )

;; Query time: 1 msec
;; SERVER: 2001:630:212:8::d:a0#53(2001:630:212:8::d:a0)
;; WHEN: Fri Nov 10 16:27:05 GMT 2017
;; MSG SIZE  rcvd: 93


; <<>> DiG 9.12.0b1 <<>> +multiline +noedns +norec notauth 
@authdns0.csx.cam.ac.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 53652
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;notauth.               IN A

;; Query time: 0 msec
;; SERVER: 2001:630:212:8::d:a0#53(2001:630:212:8::d:a0)
;; WHEN: Fri Nov 10 16:34:11 GMT 2017
;; MSG SIZE  rcvd: 25


Tony.
-- 
f.anthony.n.finch  <d...@dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Viking, North Utsire: Northwesterly 6 to gale 8, decreasing 5 for a time. Very
rough, occasionally high in north. Showers. Good.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to