Index | Thread | Search

From:
Kirill A. Korinsky <kirill@korins.ky>
Subject:
Re: nginx: imrpove compatibiliy with unwind
To:
Otto Moerbeek <otto@drijf.net>
Cc:
Robert Nagy <robert@openbsd.org>, ports@openbsd.org
Date:
Sun, 23 Jun 2024 15:31:25 +0100

Download raw body.

Thread

  • Kirill A. Korinsky:

    nginx: imrpove compatibiliy with unwind and

    • On Sun, 23 Jun 2024 14:43:54 +0100,
Otto Moerbeek <otto@drijf.net> wrote:
> 
> It is possible to argue that it is correct in doing so, *if* it
> didn't set the AD flag in the request.
> 
> See https://www.rfc-editor.org/rfc/rfc6840#section-5.8
> 
> So a question is: what did the request look like?
>

Request has flags:

    Flags: 0x0100 Standard query
        0... .... .... .... = Response: Message is a query
        .000 0... .... .... = Opcode: Standard query (0)
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... .0.. .... = Z: reserved (0)
        .... .... ...0 .... = Non-authenticated data: Unacceptable

and response from unwind has flags:

    Flags: 0x81a0 Standard query response, No error
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .0.. .... .... = Authoritative: Server is not an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... 1... .... = Recursion available: Server can do recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..1. .... = Answer authenticated: Answer/authority portion was authenticated by the server
        .... .... ...0 .... = Non-authenticated data: Unacceptable
        .... .... .... 0000 = Reply code: No error (0)

by tshark point of view

> I must say that the RFC using SHOULD here does not help a lot. 
>

Indeed, wording in RFC makes such behavior... let say not against the RFC.

But the only software that doesn't work is Nginx.

Thus, I was wrong about the configuration of forwarder in my unwind.conf.
The domain in question really exists in my DNS records which available
worldwide, and if I simplify unwind.conf to

  preference { recursor }

I can reproduce that issue. But I can't reproduce the issue if I use
google.com that means that the bit is probably introduced by cloudns.net
which I use, and forwarded by unwind / libunbound to the client.

-- 
wbr, Kirill

  • Kirill A. Korinsky:

    nginx: imrpove compatibiliy with unwind and