Opened 16 years ago
Closed 16 years ago
#93 closed defect (fixed)
Authoritative NS records in DNS server
| Reported by: | kchen | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | dns | Version: | |
| Keywords: | Cc: |
Description
Zones should have NS records listing the authoritative nameservers for the zone. Aside from being required (see for example RFC 2181, section 6.1), these records also control how authoritative client nameservers treat the information -- for example, from BIND's cache, compare:
; glue xvm.MIT.EDU. 21585 NS NS1.xvm.mit.edu.
; authauthority CSAIL.MIT.EDU. 14197 NS lampang.lcs.mit.edu.
14197 NS auth-ns0.csail.mit.edu. 14197 NS auth-ns1.csail.mit.edu. 14197 NS auth-ns2.csail.mit.edu. 14197 NS auth-ns3.csail.mit.edu.
In addition to returning such records for an NS query, the DNS server should (although isn't required to) also return the NS records for the top of the zone, which also affects how client nameservers treat the information. For example:
kchen@scyther:~$ dig abra.mit.edu @bitsy.mit.edu
; <<>> DiG 9.3.4 <<>> abra.mit.edu @bitsy.mit.edu ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62378 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3
;; QUESTION SECTION: ;abra.mit.edu. IN A
;; ANSWER SECTION: abra.mit.edu. 21600 IN A 18.181.0.105
;; AUTHORITY SECTION: mit.edu. 21600 IN NS BITSY.mit.edu. mit.edu. 21600 IN NS W20NS.mit.edu. mit.edu. 21600 IN NS STRAWB.mit.edu. [snip]
RFC 2181 section 5.4.1 talks a bit about how the NS records in the authority section are treated.
Change History (7)
comment:1 Changed 16 years ago by kchen
- Component changed from other to dns
- Owner changed from sipb-xen to ecprice
comment:2 Changed 16 years ago by kchen
- Owner changed from ecprice to sipb-xen
- Status changed from new to assigned
comment:3 Changed 16 years ago by kchen
- Component changed from dns to other
comment:4 Changed 16 years ago by kchen
- Component changed from other to dns
comment:5 Changed 16 years ago by broder
- Resolution set to fixed
- Status changed from assigned to closed
Fixed in r541
comment:6 Changed 16 years ago by broder
- Resolution fixed deleted
- Status changed from closed to reopened
Ok, that's a lie. The DNS server isn't currently serving an NS query for xvm.mit.edu correctly - it should be returning the NS record in the answer, not the authority.
comment:7 Changed 16 years ago by broder
- Resolution set to fixed
- Status changed from reopened to closed
I believe this is fixed in r582
After a bit more reading (to figure out why BIND has the behavior it does), I found that these should only be used for positive responses. Upon reading RFC 2308, it sounds like the reason to not put NS records in the authority section for negative answers is to be able to tell the difference between a referral and a lack of answers, so negative answers should not have NS records in them.