On Sun, 23 Jun 2024 14:43:54 +0100,
Otto Moerbeek <o...@drijf.net> wrote:
>
> It is possible to argue that it is correct in doing so, *if* it
> didn't set the AD flag in the request.
>
> See https://www.rfc-editor.org/rfc/rfc6840#section-5.8
>
> So a question is: what did the request look like?
>
Request has flags:
Flags: 0x0100 Standard query
0... .... .... .... = Response: Message is a query
.000 0... .... .... = Opcode: Standard query (0)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... .0.. .... = Z: reserved (0)
.... .... ...0 .... = Non-authenticated data: Unacceptable
and response from unwind has flags:
Flags: 0x81a0 Standard query response, No error
1... .... .... .... = Response: Message is a response
.000 0... .... .... = Opcode: Standard query (0)
.... .0.. .... .... = Authoritative: Server is not an authority for
domain
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... 1... .... = Recursion available: Server can do recursive
queries
.... .... .0.. .... = Z: reserved (0)
.... .... ..1. .... = Answer authenticated: Answer/authority portion
was authenticated by the server
.... .... ...0 .... = Non-authenticated data: Unacceptable
.... .... .... 0000 = Reply code: No error (0)
by tshark point of view
> I must say that the RFC using SHOULD here does not help a lot.
>
Indeed, wording in RFC makes such behavior... let say not against the RFC.
But the only software that doesn't work is Nginx.
Thus, I was wrong about the configuration of forwarder in my unwind.conf.
The domain in question really exists in my DNS records which available
worldwide, and if I simplify unwind.conf to
preference { recursor }
I can reproduce that issue. But I can't reproduce the issue if I use
google.com that means that the bit is probably introduced by cloudns.net
which I use, and forwarded by unwind / libunbound to the client.
--
wbr, Kirill
