[Dnsmasq-discuss] Bug forward upstream SERVFAIL
Martin Wetterwald
martin.wetterwald at corp.ovh.com
Wed Nov 23 12:04:36 GMT 2016
Yes, the behaviour I had in mind is to only forward SERVFAIL to the
client if we didn't have any "better" answer (NOERROR) from any other
upstream.
That way, DNS resolution with several upstreams stays reliable even if
some of them SERVFAIL.
Does that seem reasonable? Does that still respects the RFC definition
of "SERVFAIL"?
Martin
On 22/11/16 12:02, /dev/rob0 wrote:
> On Tue, Nov 22, 2016 at 04:18:55PM +0000, Chris Novakovic wrote:
> > On 22/11/16 15:03, Martin Wetterwald wrote:
> > > We found what we think is a bug (at least a not wanted
> > > behaviour), but it seems it's actually a feature, when looking at
> > > commits 4ace25c5 and 51967f980 (pasted at the end of this email).
> >
> > 4ace25c5 is a red herring: that provides REFUSED responses with the
> > behaviour you're looking for. Whether the same behaviour ought to
> > be applied to SERVFAIL responses is for Simon to decide: the commit
> > message for 51967f980 isn't clear about why SERVFAIL should be
> > considered a "successful" upstream response, but I'm sure there was
> > a reason, and I'm sure he can fill us in.
>
> SERVFAIL can sometimes be considered "successful" depending on
> circumstances.
>
> If all the authoritative NS hosts for a zone are returning SERVFAIL
> for queries, then indeed, that's as best as can be done.
>
> But the problem could be on the recursive resolver, such as [for one
> example] cache poisoning causing DNSSEC validation failure.
>
> Unfortunately dnsmasq is not in a position to know which it is.
>
> I think the most prudent thing for dnsmasq to do on SERVFAIL is to
> attempt the query with other upstream servers, if possible. But an
> answer needs to be provided to the client before its own timeout
> value.
> --
> http://rob0.nodns4.us/
> Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
More information about the Dnsmasq-discuss
mailing list