[nsd-users] Unexpected responses to ANY queries over TCP

Anand Buddhdev anandb at ripe.net
Thu May 7 20:26:58 UTC 2020

On 07/05/2020 22:11, Tuomo Soini wrote:

Hi Tuomo,

> You missed the point.
> If authoritative answers over tcp with any data, resolver dns can
> answer to victim with udp.

No, it seems you haven't understood how a resolver works. Suppose a 
signed zone's apex has SOA, A, AAAA, TXT, DNSKEY, MX and NS records, 
along with RRSIG records for all these.

Now suppose a resolver queries for these records individually, one at a 
time, and caches them all.

Finally, suppose a client queries this resolver with an ANY for this 
zone's apex. The resolver will return *all* those cached records to the 

Whether a resolver gets all these records from the authoritative server 
with a single ANY query, or by querying for the records individually, 
its response to a downstream client's ANY query will be the same. I can 
tell you with certainty that at least BIND behaves this way, because I 
have experimented and observed.

Before you reply to this thread to tell me I'm wrong, please set up a 
resolver or two, and test this yourself to understand it :)


More information about the nsd-users mailing list