<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 15/04/2020 15:37, Caleb Bontrager
via Pdns-users wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAKSaOB+8o85gF9-oiQHdcyhvnz9mpgCgR3=7yL+wU0zyB6hDeQ@mail.gmail.com">The
question I have is if there is a configuration ability to remove
the AA bit requirement for resolution?</blockquote>
<p>I can't answer the specific question, but I tested that my own
local pdns-recursor (4.3.0-1pdns.bionic) *is* able to resolve
leg.mt.gov.</p>
<p>rec_control dump_cache says:</p>
<p><tt>mt.gov. 86340 IN NS mtdnstri.mt.gov. ; (Indeterminate) auth=0</tt><tt><br>
</tt><tt>mt.gov. 86340 IN NS mtdnspri.mt.gov. ; (Indeterminate)
auth=0</tt><tt><br>
</tt><tt>mt.gov. 86340 IN NS mtdnssec.mt.gov. ; (Indeterminate)
auth=0</tt><tt><br>
</tt><tt>mtdnstri.mt.gov. 86340 IN A 161.7.129.10 ;
(Indeterminate) auth=0</tt><tt><br>
</tt><tt>mtdnssec.mt.gov. 86340 IN A 161.7.38.11 ; (Indeterminate)
auth=0</tt><tt><br>
</tt><tt>mtdnspri.mt.gov. 86340 IN A 161.7.38.10 ; (Indeterminate)
auth=0</tt><tt><br>
</tt><tt>leg.mt.gov. 3540 IN A 161.7.35.124 ; (Indeterminate)
auth=1</tt><tt><br>
</tt><tt>leg.mt.gov. 3540 A ; tag 0</tt><br>
</p>
<p>And the query log:</p>
<p><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] mt.gov: got
NS record 'mt.gov' -> 'mtdnstri.mt.gov.'</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] mt.gov:
got NS record 'mt.gov' -> 'mtdnspri.mt.gov.'</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] mt.gov:
got NS record 'mt.gov' -> 'mtdnssec.mt.gov.'</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] mt.gov:
status=did not resolve, got 3 NS, looping to them</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] QM
leg.mt.gov.|A child=mt.gov: Step4 Resolve A result is No
Error/0/2</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] QM
leg.mt.gov.|A child=mt.gov: Delegation seen, continue at step 1</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov: Checking if we have NS in cache for 'leg.mt.gov'</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov: no valid/useful NS in cache for 'leg.mt.gov'</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov: Checking if we have NS in cache for 'mt.gov'</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov: NS (with ip, or non-glue) in cache for 'mt.gov'
-> 'mtdnstri.mt.gov'</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov: within bailiwick: 1, in cache, ttl=86400</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov: NS (with ip, or non-glue) in cache for 'mt.gov'
-> 'mtdnspri.mt.gov'</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov: within bailiwick: 1, in cache, ttl=86400</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov: NS (with ip, or non-glue) in cache for 'mt.gov'
-> 'mtdnssec.mt.gov'</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov: within bailiwick: 1, in cache, ttl=86400</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov: We have NS in cache for 'mt.gov' (flawedNSSet=0)</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] QM
leg.mt.gov.|A child=mt.gov: Step1 Ancestor from cache is mt.gov.</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] QM
leg.mt.gov.|A child=leg.mt.gov: Step2 New child</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] QM
leg.mt.gov.|A child=leg.mt.gov: Step3 Going to do final resolve</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov: Wants DNSSEC processing, auth data in query for A</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov: Looking for CNAME cache hit of 'leg.mt.gov|CNAME'</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov: Looking for DNAME cache hit of 'leg.mt.gov|DNAME' or
its ancestors</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov: No CNAME or DNAME cache hit of 'leg.mt.gov' found</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov: No cache hit for 'leg.mt.gov|A', trying to find an
appropriate NS record</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] : got TA
for '.'</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] :
setting cut state for . to Secure</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov: Checking if we have NS in cache for 'leg.mt.gov'</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov: no valid/useful NS in cache for 'leg.mt.gov'</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov: Checking if we have NS in cache for 'mt.gov'</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov: NS (with ip, or non-glue) in cache for 'mt.gov'
-> 'mtdnstri.mt.gov'</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov: within bailiwick: 1, in cache, ttl=86400</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov: NS (with ip, or non-glue) in cache for 'mt.gov'
-> 'mtdnspri.mt.gov'</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov: within bailiwick: 1, in cache, ttl=86400</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov: NS (with ip, or non-glue) in cache for 'mt.gov'
-> 'mtdnssec.mt.gov'</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov: within bailiwick: 1, in cache, ttl=86400</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov: We have NS in cache for 'mt.gov' (flawedNSSet=0)</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov: initial validation status for leg.mt.gov is
Indeterminate</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov: Cache consultations done, have 3 NS to contact</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov.: Nameservers: mtdnspri.mt.gov(0.00ms),
mtdnssec.mt.gov(0.00ms), mtdnstri.mt.gov(0.00ms)</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov: Trying to resolve NS 'mtdnspri.mt.gov' (1/3)</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] QM
mtdnspri.mt.gov.|A child=(empty): doResolve</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
mtdnspri.mt.gov: Wants DNSSEC processing, NO auth data in query
for A</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
mtdnspri.mt.gov: Recursion not requested for
'mtdnspri.mt.gov|A', peeking at auth/forward zones</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
mtdnspri.mt.gov: Looking for CNAME cache hit of
'mtdnspri.mt.gov|CNAME'</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
mtdnspri.mt.gov: Looking for DNAME cache hit of
'mtdnspri.mt.gov|DNAME' or its ancestors</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
mtdnspri.mt.gov: No CNAME or DNAME cache hit of
'mtdnspri.mt.gov' found</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
mtdnspri.mt.gov: Found cache hit for A: 161.7.38.10[ttl=86400]</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
mtdnspri.mt.gov: updating validation state with cache content
for mtdnspri.mt.gov to Indeterminate</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] QM
mtdnspri.mt.gov.|A child=(empty): Step0 Found in cache</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov: Resolved 'mt.gov' NS mtdnspri.mt.gov to: 161.7.38.10</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov: Trying IP 161.7.38.10:53, asking 'leg.mt.gov|A'</tt><tt><br>
</tt><b><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov: Got 2 answers from mtdnspri.mt.gov (161.7.38.10),
rcode=0 (No Error), aa=1, in 128ms</tt></b><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov: accept answer 'leg.mt.gov|A|161.7.35.124' from
'mt.gov' nameservers? ttl=3600, place=1 YES!</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov: OPT answer '.' from 'mt.gov' nameservers</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] : got
initial zone status Indeterminate for record leg.mt.gov|A</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov: determining status after receiving this packet</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov: answer is in: resolved to '161.7.35.124|A'</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov: status=got results, this level of recursion done</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1]
leg.mt.gov: validation status is Indeterminate</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: [1] QM
leg.mt.gov.|A child=leg.mt.gov: Step3 Final resolve: No Error/1</tt><tt><br>
</tt><tt>Apr 16 10:18:43 cache2 pdns_recursor[19615]: 2 [1/1]
answer to question 'leg.mt.gov|A': 1 answers, 1 additional, took
3 packets, 226.077 netw ms, 247.328 tot ms, 0 throttled, 0
timeouts, 0 tcp connections, rcode=0</tt><br>
</p>
<p>The weird thing is, logs above are showing aa=1 in the response.<br>
</p>
Using dig, I see the same as you - that the servers for this domain
are all lame. aa=0, ra=1. Even the TTL decrements like a recursor.<br>
<p><br>
</p>
<tt>$ dig +norec @mtdnstri.mt.gov. leg.mt.gov. a</tt><tt><br>
</tt><tt><br>
</tt><tt>; <<>> DiG 9.10.6 <<>> +norec
@mtdnstri.mt.gov. leg.mt.gov. a</tt><tt><br>
</tt><tt>; (1 server found)</tt><tt><br>
</tt><tt>;; global options: +cmd</tt><tt><br>
</tt><tt>;; Got answer:</tt><tt><br>
</tt><tt>;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
id: 12168</tt><tt><br>
</tt><tt>;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0,
ADDITIONAL: 1</tt><tt><br>
</tt><tt><br>
</tt><tt>;; OPT PSEUDOSECTION:</tt><tt><br>
</tt><tt>; EDNS: version: 0, flags:; udp: 4096</tt><tt><br>
</tt><tt>;; QUESTION SECTION:</tt><tt><br>
</tt><tt>;leg.mt.gov. IN A</tt><tt><br>
</tt><tt><br>
</tt><tt>;; ANSWER SECTION:</tt><tt><br>
</tt><tt>leg.mt.gov. 3579 IN A 161.7.35.124</tt><tt><br>
</tt><tt><br>
</tt><tt>;; Query time: 118 msec</tt><tt><br>
</tt><tt>;; SERVER: 161.7.129.10#53(161.7.129.10)</tt><tt><br>
</tt><tt>;; WHEN: Thu Apr 16 10:56:19 BST 2020</tt><tt><br>
</tt><tt>;; MSG SIZE rcvd: 55</tt><tt><br>
</tt><tt><br>
</tt><tt>$ dig +norec @mtdnstri.mt.gov. leg.mt.gov. a</tt><tt><br>
</tt><tt><br>
</tt><tt>; <<>> DiG 9.10.6 <<>> +norec
@mtdnstri.mt.gov. leg.mt.gov. a</tt><tt><br>
</tt><tt>; (1 server found)</tt><tt><br>
</tt><tt>;; global options: +cmd</tt><tt><br>
</tt><tt>;; Got answer:</tt><tt><br>
</tt><tt>;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
id: 61785</tt><tt><br>
</tt><tt>;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0,
ADDITIONAL: 1</tt><tt><br>
</tt><tt><br>
</tt><tt>;; OPT PSEUDOSECTION:</tt><tt><br>
</tt><tt>; EDNS: version: 0, flags:; udp: 4096</tt><tt><br>
</tt><tt>;; QUESTION SECTION:</tt><tt><br>
</tt><tt>;leg.mt.gov. IN A</tt><tt><br>
</tt><tt><br>
</tt><tt>;; ANSWER SECTION:</tt><tt><br>
</tt><tt>leg.mt.gov. 3574 IN A 161.7.35.124</tt><tt><br>
</tt><tt><br>
</tt><tt>;; Query time: 117 msec</tt><tt><br>
</tt><tt>;; SERVER: 161.7.129.10#53(161.7.129.10)</tt><tt><br>
</tt><tt>;; WHEN: Thu Apr 16 10:56:24 BST 2020</tt><tt><br>
</tt><tt>;; MSG SIZE rcvd: 55</tt><br>
<br>
<p>Sometimes I see the TTL jump back up again - perhaps some sort of
load-balancer in front of a bunch of recursive servers?</p>
<p>Next I try a tcpdump while pdns-recursor does its business:</p>
<tt>10:29:18.479243 IP 10.12.255.54.54426 > 161.7.129.10.53:
11772 [1au] A? leg.mt.gov. (39)</tt><tt><br>
</tt><tt> 0x0000: 4500 0043 576a 4000 4011 b7eb 0a0c ff36
<a class="moz-txt-link-abbreviated" href="mailto:E..CWj@.@......6">E..CWj@.@......6</a></tt><tt><br>
</tt><tt> 0x0010: a107 810a d49a 0035 002f 2b95 2dfc 0000
.......5./+.-...</tt><tt><br>
</tt><tt> 0x0020: 0001 0000 0000 0001 036c 6567 026d 7403
.........leg.mt.</tt><tt><br>
</tt><tt> 0x0030: 676f 7600 0001 0001 0000 2904 d000 0080
gov.......).....</tt><tt><br>
</tt><tt> 0x0040: 0000 00 ...</tt><tt><br>
</tt><tt>10:29:18.596734 IP 161.7.129.10.53 > 10.12.255.54.54426:
11772*- 1/0/1 A 161.7.35.124 (55)</tt><tt><br>
</tt><tt> 0x0000: 4550 0053 7c67 4000 f211 e08d a107 810a
EP.S|g@.........</tt><tt><br>
</tt><tt> 0x0010: 0a0c ff36 0035 d49a 003f d4df 2dfc <b>8400</b>
...6.5...?..-...</tt><tt><br>
</tt><tt> 0x0020: 0001 0001 0000 0001 036c 6567 026d 7403
.........leg.mt.</tt><tt><br>
</tt><tt> 0x0030: 676f 7600 0001 0001 c00c 0001 0001 0000
gov.............</tt><tt><br>
</tt><tt> 0x0040: 0e10 0004 a107 237c 0000 2910 0000 0000
......#|..).....</tt><tt><br>
</tt><tt> 0x0050: 0000 00 ...</tt><br>
<p>If I decode the response I get:</p>
<p>2dfc = ident</p>
<p>8400 = flags: QR=1, opcode = 0000, AA=1, TC=0, RD=0; RA=0, Z=0,
AD=0, CD=0, rcode=0000</p>
<p>Exactly what's expected from an authoritative server:
Authoritative Answer=1, Recursion Available=0.<br>
</p>
<p>Now let me try the same with dig:</p>
<p># dig +norec @161.7.129.10 leg.mt.gov. a</p>
<p><tt>10:35:13.468482 IP 10.12.255.54.38387 > 161.7.129.10.53:
34722 [1au] A? leg.mt.gov. (51)</tt><tt><br>
</tt><tt> 0x0000: 4500 004f cb80 0000 4011 83c9 0a0c ff36
<a class="moz-txt-link-abbreviated" href="mailto:E..O....@......6">E..O....@......6</a></tt><tt><br>
</tt><tt> 0x0010: a107 810a 95f3 0035 003b 2ba1 87a2 0020
.......5.;+.....</tt><tt><br>
</tt><tt> 0x0020: 0001 0000 0000 0001 036c 6567 026d 7403
.........leg.mt.</tt><tt><br>
</tt><tt> 0x0030: 676f 7600 0001 0001 0000 2910 0000 0000
gov.......).....</tt><tt><br>
</tt><tt> 0x0040: 0000 0c00 0a00 0880 3a8e d7cf 0707 14
........:......</tt><tt><br>
</tt><tt>10:35:13.586436 IP 161.7.129.10.53 >
10.12.255.54.38387: 34722 1/0/1 A 161.7.35.124 (55)</tt><tt><br>
</tt><tt> 0x0000: 4550 0053 2262 4000 f011 3c93 a107 810a
EP.S"b@...<.....</tt><tt><br>
</tt><tt> 0x0010: 0a0c ff36 0035 95f3 003f bd6c 87a2 <b>8080</b>
...6.5...?.l....</tt><tt><br>
</tt><tt> 0x0020: 0001 0001 0000 0001 036c 6567 026d 7403
.........leg.mt.</tt><tt><br>
</tt><tt> 0x0030: 676f 7600 0001 0001 c00c 0001 0001 0000
gov.............</tt><tt><br>
</tt><tt> 0x0040: 0e04 0004 a107 237c 0000 2910 0000 0000
......#|..).....</tt><tt><br>
</tt><tt> 0x0050: 0000 00 ...</tt></p>
<p>Now I get:</p>
<p>87a2 = ident</p>
<p>8080 = flags: QR=1, RA=1</p>
<p>i.e. now it's responding just like a recursor!!</p>
<p>I notice the dig request has 0020 for flags, i.e. AD=1. I can fix
that to make flags 0000:<br>
</p>
<p># dig +norec +noad @161.7.129.10 leg.mt.gov. a<br>
</p>
<p><tt>10:37:08.595577 IP 10.12.255.54.59200 > 161.7.129.10.53:
710 [1au] A? leg.mt.gov. (51)</tt><tt><br>
</tt><tt> 0x0000: 4500 004f f7db 0000 4011 576e 0a0c ff36
<a class="moz-txt-link-abbreviated" href="mailto:E..O....@.Wn...6">E..O....@.Wn...6</a></tt><tt><br>
</tt><tt> 0x0010: a107 810a e740 0035 003b 2ba1 02c6 0000
.....@.5.;+.....</tt><tt><br>
</tt><tt> 0x0020: 0001 0000 0000 0001 036c 6567 026d 7403
.........leg.mt.</tt><tt><br>
</tt><tt> 0x0030: 676f 7600 0001 0001 0000 2910 0000 0000
gov.......).....</tt><tt><br>
</tt><tt> 0x0040: 0000 0c00 0a00 08e7 a9b0 0c46 4733 22
...........FG3"</tt><tt><br>
</tt><tt>10:37:08.714776 IP 161.7.129.10.53 >
10.12.255.54.59200: 710 1/0/1 A 161.7.35.124 (55)</tt><tt><br>
</tt><tt> 0x0000: 4550 0053 7930 4000 f211 e3c4 a107 810a
EP.Sy0@.........</tt><tt><br>
</tt><tt> 0x0010: 0a0c ff36 0035 e740 003f f104 02c6 <b>8080</b>
...6.5.@.?......</tt><tt><br>
</tt><tt> 0x0020: 0001 0001 0000 0001 036c 6567 026d 7403
.........leg.mt.</tt><tt><br>
</tt><tt> 0x0030: 676f 7600 0001 0001 c00c 0001 0001 0000
gov.............</tt><tt><br>
</tt><tt> 0x0040: 0dfb 0004 a107 237c 0000 2910 0000 0000
......#|..).....</tt><tt><br>
</tt><tt> 0x0050: 0000 00 ...</tt></p>
<p>Gargh... it's still responding like a recursor!</p>
<p>It looks like there is some sort of wacky views mechanism on this
server, which uses some weird attribute of the request to infer
whether it's coming from a stub resolver or from a recursor
(instead of just looking at the RD bit like it should). But I
don't have time to dig further - I'll hand this back to you.<br>
</p>
<p>You might want to try recursor 4.3.0 anyway, since that works for
me.<br>
</p>
<p>Cheers,</p>
<p>Brian.<br>
</p>
</body>
</html>