[Dnsmasq-discuss] Bug forward upstream SERVFAIL

Eric Luehrsen ericluehrsen at hotmail.com
Mon Jan 23 05:17:49 GMT 2017


If you a customer of some "we build or host your website" companies, then you may also suffer then other end of this. That is your registrar does a horrible job of pushing your DNSKEY to the correct next-level server and getting a valid DSKEY ... and doing that for all redundant server chains. So one chain of trust may pass, and another chain of trust may fail. Then you lose customer contacts because of single-fail implementations like this. 
 
ERIC    


 

From: Dnsmasq-discuss <dnsmasq-discuss-bounces at lists.thekelleys.org.uk> on behalf of Dave Taht <dave.taht at gmail.com>
Sent: Sunday, January 22, 2017 22:31
To: dnsmasq-discuss
Subject: Re: [Dnsmasq-discuss] Bug forward upstream SERVFAIL
    
>From a brief conversation with the bind9 maintainer:

D: if bind gets a servfail, and has two forwarders, will it try the
other forwarder?
E: Yes.

D: Even in the case of a dnssec query?
E:

Bind9 retries an authoritative answer because it might have been
spoofed or one of the servers might be out of date or misconfigured.
It uses the function fctx_nextaddress() to get the next address to try
when a query fails. fctx_nextaddress() searches through both
forwarders and auth servers, depending on what kind of query it is.

D: So I believe it is correct for dnsmasq to try all upstreams on a
servfail response, which restores the prior dnsmasq behavior, and is
more robust.
E: Yes.

D: This seems to look like the right thing:

https://github.com/MartinWetterwald/dnsmasq/pull/1/files



Consider SERVFAIL as a non-successful response by MartinWetterwald · Pull Request #1 · MartinWetterwald/dnsmasq
github.com
Mirror of git://thekelleys.org.uk/dnsmasq.git

-- 
Dave Täht
Let's go make home routers and wifi faster! With better software!
http://blog.cerowrt.org


http://blog.cerowrt.org/ - CeroWrt notebook: On fixing the ...
blog.cerowrt.org
When experiments go awry - sometimes you learn something. Doing the same thing over and over again expecting a different result is a definition of insanity - doing a ...

_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss at lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss


Dnsmasq-discuss Info Page
lists.thekelleys.org.uk
A list for discussion about the dnsmasq DNS and DHCP server. Configuration, bugs and development. To control spam, only subscribers are allowed to post to the list.
    


More information about the Dnsmasq-discuss mailing list