Hi John. A few questions, if I may. - Why *must* you forward everything to Akamai? - Was that a real example of a daft query: 10.11.12.13 type A? If not, do you have some real examples of queries being made to your servers please? - Notwithstanding the nature of these illegal queries, if they *are* illegal (or misguided, or errors, or malicious, or whatever - anything but valid), what's the issue with returning SERVFAIL? GIGO Or does that then prejudice genuine queries, for some reason? - Are you *only* forwarding to Akamai? - Do you have "forward only;" or "forward first;"? - Do Akamai have any knobs you can tweak (I believe they have a customer web portal for viewing/changing settings?) that would make them behave like an RFC compliant DNS server?
Cheers, Greg On Tue, 24 Jan 2023 at 21:17, John Thurston <john.thurs...@alaska.gov> wrote: > My "resolvers" running BIND 9.18.10 and 9.16.36, accept and attempt to > resolve queries for illegal names. They will cache answers for these names, > and answer from cache when asked. What's the thinking here? > > I suppose it could be, "The specifications of what is a legal name may > change with time, and we don't want to burden the resolver code by asking > it to validate the string before trying to resolve it." > > This comes up because my "resolvers" don't actually resolve. All they are > allowed to do is forward external queries to Akamai, and accept the > response from Akamai. And Akamai (thank you very much), is happy to accept > queries like "What is the A-record for 10.11.12.13?" and reply with "The > answer is 10.11.12.13, and is good for 10 seconds." > > Akamai's explanation for this behavior is, ..." the query was made in > error (likely/maybe meant to be type "PTR") and we are trying to save the > resolver from doing the work a query like this would entail." > > But what it really means is my validating "resolver" then does the work of > trying to validate the reply it got. It is unable to do so, and returns a > SERVFAIL to the customer. > > I haven't yet tried, but I don't expect I can define an RPZ to trap such > illegal names. Can I? If I could, it would reduce the traffic to Akamai, > and the number of validations I'm trying to do. > > > > -- > -- > Do things because you should, not just because you can. > > John Thurston 907-465-8591john.thurs...@alaska.gov > Department of Administration > State of Alaska > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users >
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users