Suboptimal behavior from nsd

Ted Lindgreen ted at tednet.nl
Thu Jan 8 13:36:51 UTC 2004


[Quoting Stephane Bortzmeyer, on Jan  8, 13:55, in "Suboptimal behavior  ..."]

> Hello, and Happy New year to nsd-users,
> 
> I just detected a sub-optimal (but probably legal) behavior of
> nsd. (You are welcome to perform tests with ns2.nic.fr, which runs nsd
> 1.2.2.)
> 
> When a nsd server is authoritative, it does not send in the Additional
> section every information it has.

An authoritative-only server should only produce the necessary
glue:  info about in-zone nameservers, and no other Additional
data.  The fact that older, broken resolvers used any supplied
additional data, made the DNS system vulnarible.

Let's look at your examples:

> ;; AUTHORITY SECTION:
> enst.fr.                345600  IN      NS      minos.enst.fr.
> enst.fr.                345600  IN      NS      enst.enst.fr.
> enst.fr.                345600  IN      NS      infres.enst.fr.
> enst.fr.                345600  IN      NS      phoenix.uneec.eurocontrol.fr.
> 
> ;; ADDITIONAL SECTION:
> minos.enst.fr.          345600  IN      A       137.194.2.34
> enst.enst.fr.           345600  IN      A       137.194.2.16
> infres.enst.fr.         345600  IN      A       137.194.160.3
> phoenix.uneec.eurocontrol.fr. 345600 IN A       147.196.69.1

Officially, no glue for phoenix.uneec.eurocontrol.fr is needed here.
This is out-of-zone glue which should not be present.
Anyway, "good" resolvers will discard this info, and requery for
phoenix.uneec.eurocontrol.fr before going there.

> ;; ANSWER SECTION:
> supelec.fr.             86400   IN      NS      supelec.supelec.fr.
> supelec.fr.             86400   IN      NS      infogif.supelec.fr.
> supelec.fr.             86400   IN      NS      hermes.supelec.fr.
> supelec.fr.             86400   IN      NS      ns2.nic.fr.
> 
> ;; ADDITIONAL SECTION:
> supelec.supelec.fr.     86400   IN      A       160.228.120.192
> infogif.supelec.fr.     86400   IN      A       160.228.120.190
> hermes.supelec.fr.      86400   IN      A       160.228.120.109

This is the correct additional section.

-- ted



More information about the nsd-users mailing list