Viktor Dukhovni <[email protected]> wrote: > > Reading that issue it seems that the servers in question return > cached non-authoritative data even when the request has RD=0, > provided some recent RD=1 query brings the data into the cache.
This is normal for recursive servers. Whether this traditional behaviour is sensible or not is another question. If a recursuve server has mutually distrusting clients then it's a privacy leak known as DNS cache snooping. > In which case the issue is not *failing* to set AA=1, but rather > a server that is authoritative for some domains and recursive for > others allowing non-authoritative cached data to leak into RD=0 > replies. > > How common are such servers? Is their behaviour incorrect? Dunno about how common they are. There are two misconfigurations: servers identified in public NS records should be authoritative for the zone (but these ones are not) and they should not offer recursion (but these ones do). Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Humber, Thames: South veering west or southwest, 6 to gale 8. Moderate or rough. Showers. Good. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
