DNSTAP logs as recursive all queries with RD=1
Johan Ihren mentioned to me that DNSTAP is logging incoming packets as being "client queries", not "auth queries", if RD=1, even though the servers he operates are authoritative only. This can cause dnstap to include a different set of fields when logging the responses, which may omit useful information such as the zone in which the answer was found. DNSTAP is therefore less useful if, for instance, they're under a DDOS attack using RD=1 queries.
The comments in the DNSTAP schema say:
// AUTH_QUERY is a DNS query message received from a resolver by an // authoritative name server, from the perspective of the authorative // name server. [...] // CLIENT_QUERY is a DNS query message sent from a client to a DNS // server which is expected to perform further recursion, from the // perspective of the DNS server. The client may be a stub resolver or // forwarder or some other type of software which typically sets the RD // (recursion desired) bit when querying the DNS server. The DNS server // may be a simple forwarding proxy or it may be a full recursive // resolver.
If recursion is not allowed, then the server can't be said to be "expected to perform further recursion", so we should include that consideration when deciding which type to use when logging.