On 11/10/2017 07:05 PM, Mark Andrews wrote:
On 11 Nov 2017, at 3:38 am, Tony Finch <d...@dotat.at> wrote:
Filipe Cifali <cif...@kinghost.com.br> wrote:
I'm trying to have an Auth Server that says the auth flags ('aa') even on
NXDOMAIN.
BIND (well, all DNS servers) have to do that. It doesn't need to be
configured. See the first example dig output below.
However the example query in your first message did not seem to match what
you are asking for. You were querying for a domain for which your server
was not authoritative, so it tried to recurse, but failed (some kind of
firewall?). Usually on an auth-only server you should disable recursion,
so your example query would return REFUSED. See the second example dig
output below.
This is what the auth-nxdomain should do I suppose.
No, auth-nxdomain incorrectly sets the AA bit on non-authoritative
recursive answers, for bug compatibility with BIND 8.
More correctly it has to do with RFC 103[45] where NXDOMAIN is not to
be accepted without the AA bit being set to 1 which make it impossible to
return NXDOMAIN from a cache. This is a specification error. Some
clients, 2 decades ago, rejected NXDOMAIN without AA being set. This
flag was to allow the recursive server to interoperate with them.
Thanks, I understand now how it is supposed to be used.
Is there a way for me to help clear up the docs? I don't think I should
fill a "bug" report about this.
; <<>> DiG 9.12.0b1 <<>> +multiline +noedns +norec nxdomain.cam.ac.uk
@authdns0.csx.cam.ac.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 35951
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;nxdomain.cam.ac.uk. IN A
;; AUTHORITY SECTION:
cam.ac.uk. 3600 IN SOA ipreg.csi.cam.ac.uk. hostmaster.cam.ac.uk. (
1510329268 ; serial
1800 ; refresh (30 minutes)
900 ; retry (15 minutes)
604800 ; expire (1 week)
3600 ; minimum (1 hour)
)
;; Query time: 1 msec
;; SERVER: 2001:630:212:8::d:a0#53(2001:630:212:8::d:a0)
;; WHEN: Fri Nov 10 16:27:05 GMT 2017
;; MSG SIZE rcvd: 93
; <<>> DiG 9.12.0b1 <<>> +multiline +noedns +norec notauth
@authdns0.csx.cam.ac.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 53652
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;notauth. IN A
;; Query time: 0 msec
;; SERVER: 2001:630:212:8::d:a0#53(2001:630:212:8::d:a0)
;; WHEN: Fri Nov 10 16:34:11 GMT 2017
;; MSG SIZE rcvd: 25
Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode
Viking, North Utsire: Northwesterly 6 to gale 8, decreasing 5 for a time. Very
rough, occasionally high in north. Showers. Good.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
...................................................................................................................................................................................................
<https://www.kinghost.com.br>
Filipe Cifali Stangler| ANALISTA DE INFRAESTRUTURA
cif...@kinghost.com.br <mailto:cif...@kinghost.com.br> |
www.kinghost.com.br <https://www.kinghost.com.br>
Tire suas dúvidas gratuitamente: *0800.881.5464*
Capitais e polos regionais: *4003.5464*
Atendimento fora do Brasil e Celulares: *(51) 3301.5464*
banner - email <http://kingho.st/assinatura>
Este e-mail e seus anexos são confidenciais e podem conter informações
privilegiadas ou protegidas contra
divulgação e/ou reprodução. Se você não é o destinatário identificado
acima, por favor, apague esta mensagem
de seu sistema e notifique o remetente imediatamente.
This e-mail message or any attachment thereto are confidential and may
be privileged or otherwise protected
from disclosure and/or reproduction. If you are not intendet recipient,
please delete it from your system and
notify the sender immediately.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
