Re: [DNSOP] Meaning of lame delegation

Viktor Dukhovni Tue, 04 Apr 2023 11:26:44 -0700

On Tue, Apr 04, 2023 at 06:40:55PM +0200, Havard Eidnes wrote:

> >     ; ANSWER
> >     ; AUTHORITY
> >     example.com. IN NS ns1.provider.net.
> >     example.com. IN NS ns2.provider.net.
> >
> > is a valid delegation response (and so not from this perspective a LAME
> > delegation), whether or not the target servers actualy serve the zone.
> 
> I agree that this is a valid delegation response.  I do however
> disagree with the latter part of this sentence; it *may* be a
> "lame delegation" depending on the response you as a recursive
> resolver get from the two delegated-to name servers when you try
> to look up a name in the example.com zone.


At the time such a delegation response is being processed by a resolver,
it looks just fine.  Nothing to see here, move along (down the tree)...

> > A LAME delegation (response) happens when "ns1" or "ns2" respond to
> > queries with yet another (e.g. self) delegation that does not move the
> > resolver closer to the target:
> >
> >     ; ANSWER
> >     ; AUTHORITY
> >     example.com. IN NS ns1.provider.net.
> >     example.com. IN NS ns2.provider.net.
> 
> I am having problems seeing under what normal-ish circumstances
> either ns1 or ns2 would provide this response.

I can't tell you **why** they do it, but there are many that do in fact
respond with non-productive delegations:

    ; .COM:
    ksyunv5.com.            172800  IN      NS      ns1.ksyuncdn.com.
    ksyunv5.com.            172800  IN      NS      ns2.ksyuncdn.com.
    ksyunv5.com.            172800  IN      NS      ns3.ksyuncdn.com.

    ---

    ; .ksyunv5.com:
    jshsos.ksyunv5.com.     NS      ns4.bpldns.com.
    jshsos.ksyunv5.com.     NS      ns3.bpldns.com.

    ---

    ; .jshsos.ksyunv5.com:
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12951
    ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 1232
    ;; QUESTION SECTION:
    ;lzd.jshsos.ksyunv5.com.        IN AAAA

    ;; AUTHORITY SECTION:
    jshsos.ksyunv5.com.     NS      ns4.bpldns.com.
    jshsos.ksyunv5.com.     NS      ns3.bpldns.com.

Another example, a more "normal" upward referral:

    ; .CO.UK:
    healthwize.co.uk.       172800  IN      NS      ns.mainnameserver.com.
    healthwize.co.uk.       172800  IN      NS      ns2.mainnameserver.com.

    ---

    ; healthwize.co.uk:
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42663
    ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;healthwize.co.uk.      IN A

    ;; AUTHORITY SECTION:
    .                       NS      a.root-servers.net.
    .                       NS      b.root-servers.net.
    .                       NS      c.root-servers.net.
    .                       NS      d.root-servers.net.
    .                       NS      e.root-servers.net.
    .                       NS      f.root-servers.net.
    .                       NS      g.root-servers.net.
    .                       NS      h.root-servers.net.
    .                       NS      i.root-servers.net.
    .                       NS      j.root-servers.net.
    .                       NS      k.root-servers.net.
    .                       NS      l.root-servers.net.
    .                       NS      m.root-servers.net.

Non-productive (LAME) delegation responses are sadly all too common.

-- 
    Viktor.

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Meaning of lame delegation

Reply via email to