[Dnsmasq-discuss] Bug forward upstream SERVFAIL

/dev/rob0 rob0 at gmx.co.uk
Tue Nov 22 18:02:14 GMT 2016


On Tue, Nov 22, 2016 at 04:18:55PM +0000, Chris Novakovic wrote:
> On 22/11/16 15:03, Martin Wetterwald wrote:
> > We found what we think is a bug (at least a not wanted 
> > behaviour), but it seems it's actually a feature, when looking at 
> > commits 4ace25c5 and 51967f980 (pasted at the end of this email).
> 
> 4ace25c5 is a red herring: that provides REFUSED responses with the 
> behaviour you're looking for. Whether the same behaviour ought to 
> be applied to SERVFAIL responses is for Simon to decide: the commit 
> message for 51967f980 isn't clear about why SERVFAIL should be 
> considered a "successful" upstream response, but I'm sure there was 
> a reason, and I'm sure he can fill us in.

SERVFAIL can sometimes be considered "successful" depending on 
circumstances.

If all the authoritative NS hosts for a zone are returning SERVFAIL 
for queries, then indeed, that's as best as can be done.

But the problem could be on the recursive resolver, such as [for one 
example] cache poisoning causing DNSSEC validation failure.

Unfortunately dnsmasq is not in a position to know which it is.

I think the most prudent thing for dnsmasq to do on SERVFAIL is to 
attempt the query with other upstream servers, if possible.  But an 
answer needs to be provided to the client before its own timeout 
value.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:



More information about the Dnsmasq-discuss mailing list