Problem with undead upstrems

Havard Eidnes he at uninett.no
Mon Feb 27 16:24:41 UTC 2023 

>> "Pick another upstream" would be my suggestion, if that's at all
>> feasible.  Either that, or do your own recursive resolution, and
>> don't rely on someone else bodging it for you :)
>
> No, again that is not my issue.

Sorry for at least initially not fully comprehending the
situation...

> All of the servers that dns.com operates are dropping queries for the
> Ressource Record Type DS.

That is an error.

If a publishing name server receives a query for an RR type which
doesn't exist at the given name, but other data (other RR types)
exists on the queried-for name, the correct thing is to return an
empty NOERROR response.  If the queried-for name doesn't exist,
but the publishing name server is authoritative for the zone
where the name would reside, the correct response is a reply with
an NXDOMAIN error code.  If the publishing name server isn't
authoritative for the queried-for name, and doesn't provide
recursive service to you, a valid response would be an empty
reply with the error code REFUSED.  Note that in none of these
cases is "failure to respond" a valid behaviour, perhaps modulo
rate limiting.

Failing to provide a response for "unusual" or "new" resource
record queries (some might characterize DS records as "new",
others would disagree, me among them...) is not adhering to the
spec.

The affected publishing name servers get what they deserve from
your unbound recursor -- the error is not with unbound, but with
the publishing name servers for dns.com.

With a name such as dns.com, one would have expected that someone
in the owning organization would know better than to use a DNS
name server implementation which has such a basic protocol bug.
Ref.:

$ dig dns.com. ns +short
m2.dns.com.
m1.dns.com.
$ dig @m1.dns.com. dns.com. ds +norec

; <<>> DiG 9.16.33 <<>> @m1.dns.com. dns.com. ds +norec
; (5 servers found)
;; global options: +cmd
;; connection timed out; no servers could be reached

$ dig @m2.dns.com. dns.com. ds +norec

; <<>> DiG 9.16.33 <<>> @m2.dns.com. dns.com. ds +norec
; (5 servers found)
;; global options: +cmd
;; connection timed out; no servers could be reached

$

but

$ dig @m2.dns.com. dns.com. ns +norec +short
m1.dns.com.
m2.dns.com.
$

Regards,

- Håvard

More information about the Unbound-users mailing list