On 04/06/2021 18:22, Anthony Lieuallen via dns-operations wrote:
On Fri, Jun 4, 2021 at 11:58 AM A. Schulze <[email protected]
<mailto:[email protected]>> wrote:
So I wonder, why do so many resolver [1] obviously do only follow a
delegation and ignore authoritative data?
This is a question of being parent- vs. child- centric. The parents in
the DNS tree delegate correctly. The fact that the children delegate
incorrectly can be a small or non-issue depending on resolver. Google
Public DNS uses only parent delegations (
https://developers.devsite.corp.google.com/speed/public-dns/docs/troubleshooting/domains#delegation
<https://developers.devsite.corp.google.com/speed/public-dns/docs/troubleshooting/domains#delegation>
). Largely for issues like this: the child delegations can be wrong,
but for the domain to work at all, the parent delegations must be
correct. (Resolvers that choose to use child delegations will likely in
this case discover that these delegations are bogus, and be left with
only the valid delegations, from the parent.)
Unbound prefers the child side name servers, but if they do not answer,
tries to use the parent-side name servers.
A little more detail, Unbound would on first resolve use the parent side
servers. On the second resolve, Unbound has the child-side name server
data, and lookups ns1.example.com and gets an answer from the IANA
example servers. Then tries to send packets to them, getting failure
answers. Then tries the parent-side names servers as fall back.
-- Benno
--
Benno J. Overeinder
NLnet Labs
https://www.nlnetlabs.nl/
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
