Re: [DNSOP] Meaning of lame delegation

Thu, 06 Apr 2023 17:35:36 -0700 

On Thu, Apr 06, 2023 at 11:13:32PM +0200, Havard Eidnes wrote:

> > Well, one would, in fact, expect a delegation to be a non-authoritative
> > answer:
> 
> Yes, but one would presume that before any of the two above
> queries were sent, the recursive resolver already have cached the
> delegation for jshsos.ksyunv5.com.

It doesn't matter, there can be multiple layers of delegations, and a
response with aa=0, ancount=0, no SOA in the authority section and some
NS records there is definitely what a delegation looks like.  When it
is non-productive, it is LAME.

> Therefore, posting a question about a name in that zone to one of
> the name servers supposedly serving that zone

It needn't be authoritative for all names in the zone, it can issue
further delegations, and sure appears to do just that, only with a
delegation to itself.

> would be expected to elicit an authoritative response, and not a
> non-authoritative delegation response.

Only when actually authoritative for the requested name.

> >> If I'm not terribly mistaken, this sort of mis-behaviour is all too
> >> common among the CDN crowd, and I dearly wish we could stomp it out.
> >
> > Shall we?  Please lead the way!
> 
> A couple of questions: Do we have a spec of what a minimally
> conformant publishing name server needs to implement?

    - Minimally, 103[345]
    - EDNS(0) (at least to the extent of responding with FORMERR)
    - TCP.
    - Also, include SOA in the **AUTHORITY** section when returning
      NODATA or NXDOMAIN.  RFC2308 sadly tolerates NODATA/NXDOMAIN
      without SOA, but that really should stop being tolerated at some
      point.

Current garbage to NOT DO:

    - DO NOT return SOA in the ANSWER section in NODATA responses.
    - DO NOT return some fixed record type (A, ...) in the answer
      section regardless of the qtype.
    - DO NOT put NS records sans SOA in the authority section of
      a NODATA/NXDOMAIN response

> And secondly, do we have any inkling whether all or most of these CDNs
> use a common codebase, or is it all truly "roll your own"?  And if
> there is a dominant codebase, do we have an inkling what it is?

I don't know, but there does seem to be some commonality of behaviour.

-- 
    Viktor.

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to