> On 19 Apr 2024, at 16:12, Crist Clark <cjc+bind-us...@pumpky.net> wrote:
>
> First, yes, I know. Their DNS is broken. They should fix their DNS. We
> shouldn't need to make QNAME-minimization work around broken DNS.
>
> Name and shame a domain name in question,
>
> e1083.d.akamaiedge.akamai.csd.disa.mil
>
> The problem I see: akamai.csd.disa.mil is a delegated zone. All four name
> servers for the zone are in the zone. All four of the addresses in the
> parent's glue are unresponsive. It's actually the same for
> d.akamaiedge.akamai.csd.disa.mil too.
>
> That is breaking resolution for BIND 9.18 servers with default
> qname-minimization. If qname-minimization is set "off", it works. That's
> because the disa.mil NSes will respond with the answer for that full name. We
> never go farther up the name to try to find the non-responsive NS servers.
>
> (And yes, the DNS "authoritative" servers here are questionable too. The TTLs
> look like they are caching answers, but all of the responses have AA set.)
>
> Does that assessment look correct? I know BIND defaults to "relaxed" QNAME
> minimization. It works around certain cases of brokeness. I guess this is not
> one of them? Should it be? It's a case where things work without
> minimization. The brokeness is hidden for non-minimizing resolvers.
>
> Again, yeah, they are broken. They should fix it, but it broke someone's Very
> Important Work at our shop. And it used to work and it works from home and
> for other customers so it must be our DNS that's broken. So we end up setting
> "qname-minimization off" globally despite the fact they are really the broken
> ones. We'd rather keep minimization on, but it's the only reasonable work
> around we could find.
Just use a forward zone in forward only mode. When the parent servers give you
non working nameservers for child zones there isn’t a sensible automatic
solution.
zone disa.mil {
type forward;
forward only;
forwarders { 152.229.110.235; 214.3.125.231; 131.77.60.235; };
};
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
> this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
