NEWS · bb719defd5d163bd9c7cf1e729bf0705924f47b6 · Knot projects / Knot Resolver · GitLab

Self sign-up has been disabled due to increased spam activity. If you want to get access, please send an email to a project owner (preferred) or at gitlab(at)nic(dot)cz. We apologize for the inconvenience.

Nov 16, 2020

iterate: accept parent-side records for nameservers · bb719def

Vladimír Čunát authored Nov 16, 2020

When resolving just NS names and addresses which won't go to answers,
our cache can satisfy them with just parent-side records.
Now we also make iterator consistent with that, and it will cut short
if a delegation satisfies what the kr_query wants.

There's a general risk that we will never get the child-side records,
and in practice the parent-side ones are sometimes "less accurate".
This change may increase this risk (to NS addresses in particular),
but we'd better consider addressing the risk later and systematically.
A suggestion is to refresh the records asynchronously:
https://tools.ietf.org/html/draft-ietf-dnsop-ns-revalidation

---
State before this commit lead to a weird behaviour where some IPv4-only
tests in Deckard (namely `iter_pcdiff.rpl`) were failing with IPv6
turned off.

This was due to the resolvers' internal preference towards AAAA records
for NS names.  With IPv6 networking on, NS name resolution was first
done for AAAA record and the glue (containing A record for the NS name
in question) from parent zone was put into cache.  As the AAAA
resolution failed (there is no AAAA for this NS name), A was queried
next and was satisfied from cache.

With IPv6 off, there is no query for the AAAA record, so no A record
from glue gets put in to the cache.  A record is resolved first, and
resolution ignores the glue in parent zone and continue to the child
zone which might be broken (intentionally in the case of that
`iter_pcdiff.rpl` test).

bb719def

iterate: accept parent-side records for nameservers

Vladimír Čunát authored Nov 16, 2020

When resolving just NS names and addresses which won't go to answers,
our cache can satisfy them with just parent-side records.
Now we also make iterator consistent with that, and it will cut short
if a delegation satisfies what the kr_query wants.

There's a general risk that we will never get the child-side records,
and in practice the parent-side ones are sometimes "less accurate".
This change may increase this risk (to NS addresses in particular),
but we'd better consider addressing the risk later and systematically.
A suggestion is to refresh the records asynchronously:
https://tools.ietf.org/html/draft-ietf-dnsop-ns-revalidation

---
State before this commit lead to a weird behaviour where some IPv4-only
tests in Deckard (namely `iter_pcdiff.rpl`) were failing with IPv6
turned off.

This was due to the resolvers' internal preference towards AAAA records
for NS names.  With IPv6 networking on, NS name resolution was first
done for AAAA record and the glue (containing A record for the NS name
in question) from parent zone was put into cache.  As the AAAA
resolution failed (there is no AAAA for this NS name), A was queried
next and was satisfied from cache.

With IPv6 off, there is no query for the AAAA record, so no A record
from glue gets put in to the cache.  A record is resolved first, and
resolution ignores the glue in parent zone and continue to the child
zone which might be broken (intentionally in the case of that
`iter_pcdiff.rpl` test).

To find the state of this project's repository at the time of any of these versions, check out the tags.