[nsd-users] NSD 4.0.1: referral from parent instead of SERVFAIL
W.C.A. Wijngaards
wouter at nlnetlabs.nl
Thu Jan 30 13:57:25 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Anand, Peter,
On 01/28/2014 06:12 PM, Peter Koch wrote:
> On Tue, Jan 28, 2014 at 05:30:25PM +0100, Anand Buddhdev wrote:
>
>> ;; AUTHORITY SECTION: 14.109.in-addr.arpa. 172800 IN NS
>> ns.ripe.net. 14.109.in-addr.arpa. 172800 IN NS
>> nsrev00.dns.sfr.net. 14.109.in-addr.arpa. 172800 IN NS
>> nsrev01.dns.sfr.net.
>>
>> Why doesn't NSD do a closest match and return SERVFAIL?
It does a code-particularity, and this is why it attempts to return
this data. In a different expired case it might have given servfail.
It has now been fixed to behave like Bind, Knot: it returns SERVFAIL,
even if there is a parent zone.
> in this case, ns.ripe.net does not know about the zone, but the
> other two servers respond authoritatively. That means a resolver
> starting at "ns.ripe.net" can recover only by using another one of
> 109.in-addr.arpa's servers, whereas the NSD behaviour would make
> possible a recovery one level below. Not saying it is _the_ way to
> go, but it makes a lot of sense to me. And then there's DNSSEC,
> suggesting to be extra careful with child/grandchild zone
> interaction.
Yes, it could be useful, but would take different action to make that
work all of the time. I can certainly implement it, the question is
what is right. Right now, I'll do what the other two do for
compatibility.
Best regards,
Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJS6lpFAAoJEJ9vHC1+BF+NHgUP/2YgKyPgj5/LgztHUIOAqifp
5mLuKEcpVj7rbp7CU+3CkEDHaGmnKBAAKWIaypY3ioR7MvCz3RGHSXRxqivVv05d
R3yHcJJd3VwSrrnVoLFqE1JYhthVh1rHl6dvY53GOBU2gGoNV+IteCbN5jO7S0Hy
DBCbSg4QeouEtLhggoQ+dmFF6KRZOyfAGHoIX/C7IEMlj2g+G3oRGjMbyzgEE+qV
HQQBP9/iGARt3HxEg3hB9Riy3uXmAr5HyTY0bkDSGVwo/ik0pV+pfancd8m/nlBF
7+mU1W4WCC2Y9dNxjuUiJjbCO6aBJ1oNoy86CshJQndvx/47Fmv8TrloDBzT36uO
FyUSU7zsu5dB4fRgoQyzHDrsUL98lqpEo750OB+21ktQt/RPNCexVJFOOC2RcKQr
AWa+mQpqCpPKmuW8cZR9eiaYmHfquQMg3fTxd36AcdRxwreuZwty3MldPDePu3j3
hlz9M6FhE9a0Ijd3tVuZQVVsMYIFCWzePVDfJXWtVoFM98RP7/rA7/jsjShuBS+w
E2H2pEH8/Wiq3OjVX/fFt4wsxswU9jfTx7yIKCijAZ9Q/f+O5LPVKxoiWaguCWgs
pDL3HlrbjJCsUBX0RfOrzY+J+k8l/muxM7CgykGBABiDQdUmqL3BqdCCGy8u2VhG
BGjEmLmCj16cCDxGE2X0
=whWw
-----END PGP SIGNATURE-----
More information about the nsd-users
mailing list