On Tue, Feb 7, 2017 at 1:48 PM, Mark Andrews <ma...@isc.org> wrote: > > In message <18f2eb0d-5bd0-4cc5-b02c-2e5ea0b8c...@fugue.com>, Ted Lemon > writes: > > Hm. When I look for foo.alt, what I get is NXDOMAIN, not SERVFAIL. > > When I validate, I get a secure denial of existence. This is the > > correct behavior. Why do you think we would get a SERVFAIL? > > Because your testing is incomplete. > > Go add a empty zone (SOA and NS records only) for alt to your > recursive server. This is what needs to be done to prevent > privacy leaks. > > Configure another recursive server to forward its queries to this > server and enable validation. > > I believe this is an erroneous configuration.
You need to have the recursive server (the first one) forward to another server for the empty zone, otherwise that zone's contents do not end up in the recursive server's cache. Once you have that, the other recursive server (added and forwarding to the first recursive) only gets back the non-leak results. Since the first server is always forwarding to the empty zone, it never queries the root, and never gets the authenticated denial of existence. Brian > Now ask for foo.alt from this second server. > > Mark > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop