On Mon, Jan 15, 2018 at 04:39:20PM -0500, Andrew Sullivan wrote: > A response that has only a referral contains an empty answer > section. It contains the NS RRset for the referred-to zone in the > authority section. It may contain RRs that provide addresses in > the additional section. The AA bit is clear.
Hi all, the behaviour with respect to the (clear) AA bit is not completely observed in the wild: ba.anycastdns.cz (185.38.108.108, 185.28.194.194) is authoritative for ..ba given by the root zone, they return the following referrals: % dig +norec @185.28.194.194 google.ba. ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48224 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1480 ;; QUESTION SECTION: ;google.ba. IN A ;; AUTHORITY SECTION: google.ba. 86400 IN NS ns1.google.com. google.ba. 86400 IN NS ns2.google.com. ;; Query time: 70 msec ;; SERVER: 185.28.194.194#53(185.28.194.194) ;; WHEN: Sat Mar 24 00:01:18 CET 2018 ;; MSG SIZE rcvd: 84 I.e. a referral, but with AA-bit. Both Unbound and BIND appear to treat this as delegation: https://github.com/NLnetLabs/unbound/blob/release-1.7.0/iterator/iter_resptype.c#L270 (since at least 2007, including the comment about the AA-bit) https://gitlab.isc.org/isc-projects/bind9/blob/b2307b25465c16d37ff6de22438a2d214287417c/lib/dns/resolver.c#L603 and L7314 (Not 100% sure) RFC 2308 2.2 does not specifically care about the AA-bit: > It is possible to distinguish between a NODATA and a referral > response by the presence of a SOA record in the authority section or > the absence of NS records in the authority section. My current take away: The clean interpretation would be a NODATA response. But based on practical evidence and implementations, such responses are to be treated as referrals. anycastdns.cz should change the name servers behaviour. Best regards, Johannes -- Johannes Naab _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
