Suboptimal behavior from nsd
Ted Lindgreen
ted at tednet.nl
Thu Jan 8 13:36:51 UTC 2004
[Quoting Stephane Bortzmeyer, on Jan 8, 13:55, in "Suboptimal behavior ..."]
> Hello, and Happy New year to nsd-users,
>
> I just detected a sub-optimal (but probably legal) behavior of
> nsd. (You are welcome to perform tests with ns2.nic.fr, which runs nsd
> 1.2.2.)
>
> When a nsd server is authoritative, it does not send in the Additional
> section every information it has.
An authoritative-only server should only produce the necessary
glue: info about in-zone nameservers, and no other Additional
data. The fact that older, broken resolvers used any supplied
additional data, made the DNS system vulnarible.
Let's look at your examples:
> ;; AUTHORITY SECTION:
> enst.fr. 345600 IN NS minos.enst.fr.
> enst.fr. 345600 IN NS enst.enst.fr.
> enst.fr. 345600 IN NS infres.enst.fr.
> enst.fr. 345600 IN NS phoenix.uneec.eurocontrol.fr.
>
> ;; ADDITIONAL SECTION:
> minos.enst.fr. 345600 IN A 137.194.2.34
> enst.enst.fr. 345600 IN A 137.194.2.16
> infres.enst.fr. 345600 IN A 137.194.160.3
> phoenix.uneec.eurocontrol.fr. 345600 IN A 147.196.69.1
Officially, no glue for phoenix.uneec.eurocontrol.fr is needed here.
This is out-of-zone glue which should not be present.
Anyway, "good" resolvers will discard this info, and requery for
phoenix.uneec.eurocontrol.fr before going there.
> ;; ANSWER SECTION:
> supelec.fr. 86400 IN NS supelec.supelec.fr.
> supelec.fr. 86400 IN NS infogif.supelec.fr.
> supelec.fr. 86400 IN NS hermes.supelec.fr.
> supelec.fr. 86400 IN NS ns2.nic.fr.
>
> ;; ADDITIONAL SECTION:
> supelec.supelec.fr. 86400 IN A 160.228.120.192
> infogif.supelec.fr. 86400 IN A 160.228.120.190
> hermes.supelec.fr. 86400 IN A 160.228.120.109
This is the correct additional section.
-- ted
More information about the nsd-users
mailing list