On 4/21/2024 10:05 PM, Mark Andrews wrote:
On 19 Apr 2024, at 16:12, Crist Clark <[email protected]> wrote:
First, yes, I know. Their DNS is broken. They should fix their DNS. We
shouldn't need to make QNAME-minimization work around broken DNS.
Name and shame a domain name in question,
e1083.d.akamaiedge.akamai.csd.disa.mil
The problem I see: akamai.csd.disa.mil is a delegated zone. All four name
servers for the zone are in the zone. All four of the addresses in the parent's
glue are unresponsive. It's actually the same for
d.akamaiedge.akamai.csd.disa.mil too.
That is breaking resolution for BIND 9.18 servers with default qname-minimization. If
qname-minimization is set "off", it works. That's because the disa.mil NSes
will respond with the answer for that full name. We never go farther up the name to try
to find the non-responsive NS servers.
(And yes, the DNS "authoritative" servers here are questionable too. The TTLs
look like they are caching answers, but all of the responses have AA set.)
Does that assessment look correct? I know BIND defaults to "relaxed" QNAME
minimization. It works around certain cases of brokeness. I guess this is not one of
them? Should it be? It's a case where things work without minimization. The brokeness is
hidden for non-minimizing resolvers.
Again, yeah, they are broken. They should fix it, but it broke someone's Very Important
Work at our shop. And it used to work and it works from home and for other customers so
it must be our DNS that's broken. So we end up setting "qname-minimization off"
globally despite the fact they are really the broken ones. We'd rather keep minimization
on, but it's the only reasonable work around we could find.
Just use a forward zone in forward only mode. When the parent servers give you
non working nameservers for child zones there isn’t a sensible automatic
solution.
zone disa.mil {
type forward;
forward only;
forwarders { 152.229.110.235; 214.3.125.231; 131.77.60.235; };
};
Can such forward-zones be defined in catalog-zones?
--
Do things because you should, not just because you can.
John Thurston 907-465-8591
[email protected]
Department of Administration
State of Alaska
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
