nslookup: No need to try the next server after getting the authoritative answer
Summary
The DNS server returns an authoritative answer, but nslookup won't use that.
nslookup version used
nslookup 9.11.5-P4-5.1+deb10u6-Debian
Steps to reproduce
Step 1: Set your local dns to these DNS servers of Google.
nameserver 216.239.32.10 // ns1.google.com
nameserver 216.239.34.10 // ns2.google.com
nameserver 8.8.8.8 // Google public DNS
nameserver 8.8.4.4 // Google public DNS
www.google.com
Step 2: nslookupAn authoritative answer can be found at ns1.google.com, but nslookup won't use that and try the next server.
$ nslookup www.google.com
;; Got recursion not available from 216.239.32.10, trying next server
;; Got recursion not available from 216.239.34.10, trying next server
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: www.google.com
Address: 142.251.167.99
Name: www.google.com
Address: 142.251.167.104
Name: www.google.com
Address: 142.251.167.106
Name: www.google.com
Address: 142.251.167.147
Name: www.google.com
Address: 142.251.167.103
Name: www.google.com
Address: 142.251.167.105
;; Got recursion not available from 216.239.32.10, trying next server
;; Got recursion not available from 216.239.34.10, trying next server
Name: www.google.com
Address: 2607:f8b0:4004:c1d::63
Name: www.google.com
Address: 2607:f8b0:4004:c1d::68
Name: www.google.com
Address: 2607:f8b0:4004:c1d::6a
Name: www.google.com
Address: 2607:f8b0:4004:c1d::67
www.google.com
Step 3: digThe DNS server returns AA flag but not RA flag.
$ dig www.google.com
; <<>> DiG 9.11.5-P4-5.1+deb10u6-Debian <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24959
;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.google.com. IN A
;; ANSWER SECTION:
www.google.com. 300 IN A 172.253.63.147
www.google.com. 300 IN A 172.253.63.103
www.google.com. 300 IN A 172.253.63.104
www.google.com. 300 IN A 172.253.63.105
www.google.com. 300 IN A 172.253.63.99
www.google.com. 300 IN A 172.253.63.106
;; Query time: 1 msec
;; SERVER: 216.239.32.10#53(216.239.32.10)
;; WHEN: Tue Sep 05 11:44:56 UTC 2023
;; MSG SIZE rcvd: 139
What is the current bug behavior?
nslookup ignores the authoritative answer but expect the answer with a recursion available flag.
What is the expected correct behavior?
nslookup respects the authoritative answer.
Possible fixes
https://gitlab.isc.org/isc-projects/bind9/-/blob/main/bin/dig/dighost.c#L4302-L4329
if ((msg->rcode == dns_rcode_servfail && !l->servfail_stops) ||
- (check_ra && (msg->flags & DNS_MESSAGEFLAG_RA) == 0 && l->recurse))
+ (check_ra && (msg->flags & (DNS_MESSAGEFLAG_AA | DNS_MESSAGEFLAG_RA)) == 0 && l->recurse))