- Why *must* you forward everything to Akamai?
I am forced to "forward only;" to Akamai for all external queries. It
hasn't always been this way, but the decision was made "above my pay
grade", and it is not open to negotiation.
- Was that a real example of a daft query: 10.11.12.13 type A?
"10.11.12.13 is, indeed, a query I found in my log.
what's the issue with returning SERVFAIL?
On my validating "recursive" servers, "SERVFAIL" is the response from
_my_ server. That is the result of Akamai saying "Here's your answer!"
and my server going through the work of trying to validate it (and failing).
On my non-validating "recursive" servers, I send back the answer Akamai
sends me:
;; ANSWER SECTION:
10.11.12.13. 10 IN A 10.11.12.13
I think SERVFAIL is the correct answer for all of these queries. I do
not want to encourage any customers in thinking they can get an address
back from me by asking for the address of an address.
- Do Akamai have any knobs you can tweak
{chuckle} I'm not allowed in the control room. And Akamai's response to
my question was quoted in my original message. From their perspective,
this behavior is a feature, not a defect. I don't expect them to let
their customer disable their "features". If I want to change this
behavior, I'm going to have to do it within my sphere of influence.
Off-list, it was suggested to me that I _could_ handle this in my RPZ,
by enumerating all 255 illegal TLDs (e.g. *.10 CNAME . )
I tried this, and it works as expected when dnssec validation is
disabled (either globally, or with "validate-except". My idea right now
is I can enumerate TLD of the numerics I see in my logs, and ignore the
rest. I think this will get me what I want, at a level of complexity I
can accept.
--
Do things because you should, not just because you can.
John Thurston 907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
On 1/24/2023 10:26 PM, Greg Choules wrote:
- Why *must* you forward everything to Akamai?
- Was that a real example of a daft query: 10.11.12.13 type A? If not,
do you have some real examples of queries being made to your servers
please?
- Notwithstanding the nature of these illegal queries, if they *are*
illegal (or misguided, or errors, or malicious, or whatever - anything
but valid), what's the issue with returning SERVFAIL? GIGO Or does
that then prejudice genuine queries, for some reason?
- Are you *only* forwarding to Akamai?
- Do you have "forward only;" or "forward first;"?
- Do Akamai have any knobs you can tweak (I believe they have a
customer web portal for viewing/changing settings?) that would make
them behave like an RFC compliant DNS server?
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
