Re: comments about morishita-dnsop-misbehavior-against-aaaa-00

[Pekka Savola <pekkas@netcore.fi>]

On Tue, 12 Aug 2003, JINMEI Tatuya / [ISO-2022-JP] $B?@L@C#:H(B wrote:
> > substantial
> > -----------
> 
> > 4.1 Return NXDOMAIN
>                                                                                                   
> >    This type of server returns a response with the RCODE being 3
> >    (NXDOMAIN) to a query for a AAAA RR, indicating it does not have any
> >    RRs of any type for the queried name.  In fact, such a server
> >    apparently returns NXDOMAIN to all queries except those for an A RR.
> 
> > and:
> 
> > 4.3 Ignore Queries for AAAA
> > [...]
> >    Again, these servers apparently ignore all queries except those for
> >    an A RR.
> 
> > ==> is this really the case?  Do these servers *also* ignore or return an 
> > error to queries for NS, MX, SOA, and other resource records (and the text 
> > was slightly inaccurate), or does it really, really break everything 
> > except A records (whoops, maybe add a few words of clarification to 
> > underline that).
> 
> This is the case at least about the examples described in the draft.
> You can even check the behavior described in Section 4.3 by yourself
> (I just retried and confirmed that it is still the case).

So it seems, perhaps some stronger words are in order if revising the 
draft.

> > 4.2 Return NOTIMP
>                                                                                                   
> >    Other authoritative servers return a response with the RCODE being 4
> >    (NOTIMP), indicating the servers do not support the requested type of
> >    query.
> 
> > [...]
> 
> >   Using SERVFAIL or FORMERR would cause the same effect, though the
> >    authors have not seen such implementations yet.
>                                                                                                   
> > ==> I recall faintly that e.g. bind 4.9 series prior to patching some
> > years ago returned SERVFAIL?  Maybe also have a look at: 
> > http://www.wcug.wwu.edu/lists/ngtrans/200110/msg00123.html
> 
> Hmm, I've looked at the ngtrans message, and the latest version of the
> internet-draft discussed there, but I could not find a concrete
> example.  Could you be more specific please?

Unfortunately, I do not know more details than that.. :-/
 
> Regarding BIND 4.9, I don't have an environment to check the behavior
> at least at this moment.  If anyone else could confirm the
> information, it would be helpful.

I tried to look this up, but failed; in any case, I believe the code would 
be some 6-7 years old at least.  We'll see if someone else brings this up.

In doing so, I googled across this one:

http://mailman.isi.edu/pipermail/6bone/2002-October/006531.html

which brings some statistics to the play, which may be interesting.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

#----------------------------------------------------------------------
# To unsubscribe, send a message to <dnsop-request@cafax.se>.