Empty AA=0 AD=1 answers to AAAA queries: your thoughts pls
bert hubert <bert.hubert <at> netherlabs.nl>
2014-12-20 12:58:06 GMT
I have a question if I am right in concluding something is a protocol
violation, and if we should reward it by papering it over or (finally)
concluding that enough is enough.
A few weeks ago we posted this
about Microsoft Azure nameservers sending empty answers (AD=1 no less) to
AAAA queries. Microsoft has indicated they'll get to addressing this early
2015, by the way (thanks Mehmet).
However, we're now seeing more and more of this, for example from the most
popular news site in the Netherlands nu.nl:
$ dig +trace -t aaaa nu-nl.gslb.sanomaservices.nl.
Which ends on:
$ dig -t aaaa nu-nl.gslb.sanomaservices.nl. <at> 22.214.171.124
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58444
;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;nu-nl.gslb.sanomaservices.nl. IN AAAA
Note that this is the same pattern as Microsoft Azure. But this empty AA=0
answer leads PowerDNS to:
nu-nl.gslb.sanomaservices.nl.: Trying IP 126.96.36.199:53 1, asking 'nu-nl.gslb.sanomaservices.nl.|AAAA'
nu-nl.gslb.sanomaservices.nl.: Got 0 answers from gslb2.sanomaservices.nl. (188.8.131.52),
rcode=0 (No Error), aa=0, in 6ms
nu-nl.gslb.sanomaservices.nl.: determining status after receiving this packet
nu-nl.gslb.sanomaservices.nl.: status=NS gslb2.sanomaservices.nl. (184.108.40.206) is lame for
'gslb.sanomaservices.nl.', trying sibling IP or NS
nu-nl.gslb.sanomaservices.nl.: Failed to resolve via any of the 2 offered NS at level 'gslb.sanomaservices.nl.'
nu-nl.gslb.sanomaservices.nl.: failed (res=-1)
And this means we send out a SERVFAIL to our client, since all servers are
'lame'. This makes some programs very unhappy.
We are (as is any resolver implementor) receiving pressure not to do this,
and to paper over this behaviour. There is a workaround available in the URL
We think the time has to come to say 'no, if you run a non-confirming
implementation, you deserve all the pain you get'.
But before we make a stand, what do you think? Should we accept empty AA=0
AD=1 answers as "NO ERROR"?
Please let us know.
dnsext mailing list
dnsext <at> ietf.org