Last active
October 7, 2015 17:14
-
-
Save vavrusa/c3e24deb1dbbd4538034 to your computer and use it in GitHub Desktop.
How Knot DNS Resolved minimizes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## How it deals with bad CDNs | |
| The query is `who.ami.here.com. A` | |
| 1. It's going to ask at `.` to `com. NS` and get a referral | |
| 2. it's going to ask `com.` nameserver about `here.com. NS` and get a referral | |
| ... see the pattern, it just appends labels, but bear with me | |
| 3. We're asking `here.com` nameserver about `ami.here.com. NS` , but he's a prick and tells us 'NXDOMAIN'. | |
| We should think that there is nothing at or below name name, but with some CDNs it's **a lie**. | |
| So we turn off the minimization and requery the full name `who.ami.here.com A`, now it's going to either | |
| refer us to final nameserver or give us `NXDOMAIN` again. | |
| If (a), we leaked some information to the parent nameserver, if (b) it was reliable and we wasted an extra query. | |
| In real world it doesn't happen that often since `NS com.` is authoritative for `<1-2 labels>.com` etc., but it happens | |
| with CDNs where you suddenly jump 2 or more labels. | |
| ## How does it deal with a truckload of labels (IPv6 PTR records) | |
| Fortunately, since root nameservers give us an authoritative answer to `arpa.`, we turn off minimization afterwards. | |
| Yes, this leaks information to `arpa.`. | |
| Most of the names with many labels don't actually have search path this long (it often jumps several labels per referral), or | |
| end up covered by a wildcard. In any way, you need to follow the referral chain anyway even if you don't minimize. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment