Discussion:
Question about expected recursive resolver behavior
(too old to reply)
Sarah Newman
2020-04-23 19:16:57 UTC
Permalink
What should happen when for a given domain:

- The domain resolves via TCP but not UDP - UDP for this domain had no response at all.
- That authoritative nameserver hosts other domains, and those domains resolve via UDP.

I found https://www.isc.org/blogs/refinements-to-edns-fallback-behavior-can-cause-different-outcomes-in-recursive-servers/
but I'm not sure if this case is covered or not.

--Sarah
Chuck Aurora
2020-04-23 19:41:14 UTC
Permalink
Post by Sarah Newman
- The domain resolves via TCP but not UDP - UDP for this domain had no
response at all.
- That authoritative nameserver hosts other domains, and those domains
resolve via UDP.
Do you have an example for this? I don't get the "no response on UDP"
part. If the same nameserver is answering other queries on UDP, why
wouldn't at least send a REFUSED reply?

Perhaps REFUSED has been disabled somehow; that could be tested by
querying it for other non-hosted zones,

dig @<that-NS> ns isc.org.
Sarah Newman
2020-04-23 19:53:49 UTC
Permalink
Post by Sarah Newman
- The domain resolves via TCP but not UDP - UDP for this domain had no
response at all.
- That authoritative nameserver hosts other domains, and those domains
resolve via UDP.
Do you have an example for this?  I don't get the "no response on UDP"
part.  If the same nameserver is answering other queries on UDP, why
wouldn't at least send a REFUSED reply?
Perhaps REFUSED has been disabled somehow; that could be tested by
querying it for other non-hosted zones,
Here is my example, but it's been fixed now:

https://prgmr.com/blog/2020/04/23/debugging-freebsd-resolution-failure.html

REFUSED hasn't been disabled.

I bring this up because we had customers complaining about our resolvers not working and I don't know if we could/should have done better.

--Sarah
Tony Finch
2020-04-23 19:55:03 UTC
Permalink
Post by Sarah Newman
- The domain resolves via TCP but not UDP - UDP for this domain had no
response at all.
I would expect the domain to be completely unresolvable: the resolver will
only try TCP if it gets a truncated reaponse over UDP.
Post by Sarah Newman
- That authoritative nameserver hosts other domains, and those domains
resolve via UDP.
The lack of response for some domains might cause problems for the other
domains if the resolver decides that the authoritative server is too
broken to bother asking.

Tony.
--
f.anthony.n.finch <***@dotat.at> http://dotat.at/
Bailey: Variable 3 or less, increasing 4 at times. Moderate. Fair. Good,
occasionally poor.
Loading...