[RFCI-Discuss] Interesting Question

Derek J. Balling dredd at megacity.org
Sun Dec 4 17:12:07 EST 2005 

On Dec 4, 2005, at 2:02 PM, Alex van den Bogaerdt wrote:
> I'm not sure if this is correct or not.  The answer you got is not
> authoritative.  That is correct, as the name server records are
> a property of its child zone.  It's only the missing authority
> that bites you.  The server does have knowledge on the RR you
> queried it for, and did try to help you by presenting it to you.

Right, although *technically* I should be ignoring those answers (at  
least ... I *think* I should be) in chasing down an authoritative  
answer. To do otherwise is to open myself up to DNS poisoning style  
exploits, no?

> Interestingly, when you query "dig @a.gtld-servers.net yahoo.com" it
> does work as expected:
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15110
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 5
>
> probably because the gtld server does not have an A record but does
> know first hand where to get it.

Right. :-)

> You are writing a script that follows the path from the root down to
> the authoritative server, and it failed.  I hope the implied  
> workaround
> I presented above does help.

Well, actually I use the following logic:

o	Start at root-servers.net, thus I know any answer I get is --  
theoretically at least -- in the authoritative "path"

o	If there are authority records, and the answer is not  
authoritative, go to the authority records instead

o	If the answer is not self-labeled as authoritative, there are no  
authority records, but there *are* answer records, I pretend the  
answer records are authoritative (I am not necessarily subject to DNS  
poisoning attacks, really, since I'm chasing downwards from the  
root). Realistically, I expect this condition only to ever be met  
when talking to the gtld-servers.net servers.

Since -- in all these cases -- I know "Someone high up in the food  
chain pointed me in this direction", the ANSWERS section is probably  
"Safe to use", but I really wish I knew if my understanding was  
wrong, or if it was the gtld-servers servers that were wrong.

D

More information about the RFCI-Discuss mailing list