This is the summary of the thread about the following sentence in the
section on priming queries:
The RD bit MAY be set to 0 or 1, although the meaning of it being set to
1 is
undefined for priming queries.
There were four replies with what seems like four different takes on it.
Can others in the WG weigh in so we might get consensus?
--Paul Hoffman
On 15 Jan 2016, at 2:50, Stephane Bortzmeyer wrote:
On Thu, Jan 14, 2016 at 11:09:36AM -0800,
Paul Hoffman <paul.hoff...@vpnc.org> wrote
a message of 34 lines which said:
Setting the RD bit to 1 could result in non-authoritative answers.
Today, all root name servers are not recursive. It seems good
practice, even if I'm not sure it's formally written somewhere (I do
not find it in RFC 7720).
If the response to a priming query is non-authoritative, should the
resolver reject it and try more queries?
I would say yes, since it is supposed to be sent to authoritative
servers.
If a name server is deprecated and replaced by a resolver, not
authoritative for the root, I tend to think that its response cannot
be trusted.
On 15 Jan 2016, at 5:03, Tony Finch wrote:
Paul Hoffman <paul.hoff...@vpnc.org> wrote:
If the response to a priming query is non-authoritative, should the
resolver reject it and try more queries? Or is it OK for a priming
response to be non-authoritative?
If you are unlucky enough to be on a network that intercepts DNS
queries
and diverts them to a recursive server, you are likely to get RA=1
AA=0
answers to priming queries. Your resolver ought to soldier on as best
it
can in this situation.
On 15 Jan 2016, at 5:59, Stephane Bortzmeyer wrote:
On Fri, Jan 15, 2016 at 01:03:41PM +0000,
Tony Finch <d...@dotat.at> wrote
a message of 22 lines which said:
If you are unlucky enough to be on a network that intercepts DNS
queries and diverts them to a recursive server, you are likely to
get RA=1 AA=0 answers to priming queries. Your resolver ought to
soldier on as best it can in this situation.
If the resolver validates with DNSSEC, it may go on in such a case. If
it doesn't, I'm tempted to say that it should give in and tell the
sysadmin that it cannot do its job properly and safely.
At the very minimum, such problem should be escalated to the sysadmin.
On 15 Jan 2016, at 9:52, Darcy Kevin (FCA) wrote:
It's not really a "normal" query, in the sense that it's not coming
from a stub resolver, typically, and the initiator wouldn't normally
assume that recursion is required to fetch the answer.
So, in the typical case I'd expect RD=0.
Not sure that the "although" verbiage below really adds any value,
though. If you've already declared that something is a "MAY", what's
the practical effect of then saying that its meaning is "undefined"?
Either it's allowable per the standard or it's not.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
