Suboptimal behavior from nsd

Stephane Bortzmeyer bortzmeyer at nic.fr
Thu Jan 8 12:52:24 UTC 2004 

Hello, and Happy New year to nsd-users,

I just detected a sub-optimal (but probably legal) behavior of
nsd. (You are welcome to perform tests with ns2.nic.fr, which runs nsd
1.2.2.)

When a nsd server is authoritative, it does not send in the Additional
section every information it has.

Here, ns2.nic.fr is not authoritative for enst.fr, the reply is as
expected:

eve:~ % dig @ns2.nic.fr NS enst.fr 

;; AUTHORITY SECTION:
enst.fr.                345600  IN      NS      minos.enst.fr.
enst.fr.                345600  IN      NS      enst.enst.fr.
enst.fr.                345600  IN      NS      infres.enst.fr.
enst.fr.                345600  IN      NS      phoenix.uneec.eurocontrol.fr.

;; ADDITIONAL SECTION:
minos.enst.fr.          345600  IN      A       137.194.2.34
enst.enst.fr.           345600  IN      A       137.194.2.16
infres.enst.fr.         345600  IN      A       137.194.160.3
phoenix.uneec.eurocontrol.fr. 345600 IN A       147.196.69.1

Here, ns2.nic.fr is authoritative for supelec.fr and one IP address is
missing from the Additional section, because it is not in the queried
domain (but it is known from the nsd server):

eve:~ % dig @ns2.nic.fr NS supelec.fr

;; ANSWER SECTION:
supelec.fr.             86400   IN      NS      supelec.supelec.fr.
supelec.fr.             86400   IN      NS      infogif.supelec.fr.
supelec.fr.             86400   IN      NS      hermes.supelec.fr.
supelec.fr.             86400   IN      NS      ns2.nic.fr.

;; ADDITIONAL SECTION:
supelec.supelec.fr.     86400   IN      A       160.228.120.192
infogif.supelec.fr.     86400   IN      A       160.228.120.190
hermes.supelec.fr.      86400   IN      A       160.228.120.109

It means that most nameservers will not bother trying to get the
missing IP address so, in practice, the fourth server will not be used
:-(

Worse, if I ask a more reasonable question:

eve:~ % dig @ns2.nic.fr A www.afnic.fr

;; ANSWER SECTION:
www.afnic.fr.           172800  IN      CNAME   rigolo.nic.fr.

The CNAME is *not* followed, probably because it is out of the zone,
despite the fact that ns2.nic.fr is also authoritative for nic.fr.

Try now with www.nic.fr, it works better:

eve:~ % dig @ns2.nic.fr A www.nic.fr      

;; ANSWER SECTION:
www.nic.fr.             172800  IN      CNAME   rigolo.nic.fr.
rigolo.nic.fr.          172800  IN      A       192.134.4.20

This behaviour is probably legal (you put as many things you want in
the Additional section, after all), but clearly sub-optimal (BIND 8
and BIND 9 do not exhibit this behaviour).

Comments?

More information about the nsd-users mailing list