Opened 10 years ago

Closed 10 years ago

#93 closed defect (fixed)

Authoritative NS records in DNS server

Reported by: kchen Owned by:
Priority: minor Milestone:
Component: dns Version:
Keywords: Cc:

Description

Zones should have NS records listing the authoritative nameservers for the zone. Aside from being required (see for example RFC 2181, section 6.1), these records also control how authoritative client nameservers treat the information -- for example, from BIND's cache, compare:

; glue xvm.MIT.EDU. 21585 NS NS1.xvm.mit.edu.

; authauthority CSAIL.MIT.EDU. 14197 NS lampang.lcs.mit.edu.

14197 NS auth-ns0.csail.mit.edu. 14197 NS auth-ns1.csail.mit.edu. 14197 NS auth-ns2.csail.mit.edu. 14197 NS auth-ns3.csail.mit.edu.

In addition to returning such records for an NS query, the DNS server should (although isn't required to) also return the NS records for the top of the zone, which also affects how client nameservers treat the information. For example:

kchen@scyther:~$ dig abra.mit.edu @bitsy.mit.edu

; <<>> DiG 9.3.4 <<>> abra.mit.edu @bitsy.mit.edu ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62378 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION: ;abra.mit.edu. IN A

;; ANSWER SECTION: abra.mit.edu. 21600 IN A 18.181.0.105

;; AUTHORITY SECTION: mit.edu. 21600 IN NS BITSY.mit.edu. mit.edu. 21600 IN NS W20NS.mit.edu. mit.edu. 21600 IN NS STRAWB.mit.edu. [snip]

RFC 2181 section 5.4.1 talks a bit about how the NS records in the authority section are treated.

Change History (7)

comment:1 Changed 10 years ago by kchen

  • Component changed from other to dns
  • Owner changed from sipb-xen to ecprice

After a bit more reading (to figure out why BIND has the behavior it does), I found that these should only be used for positive responses. Upon reading RFC 2308, it sounds like the reason to not put NS records in the authority section for negative answers is to be able to tell the difference between a referral and a lack of answers, so negative answers should not have NS records in them.

comment:2 Changed 10 years ago by kchen

  • Owner changed from ecprice to sipb-xen
  • Status changed from new to assigned

comment:3 Changed 10 years ago by kchen

  • Component changed from dns to other

comment:4 Changed 10 years ago by kchen

  • Component changed from other to dns

comment:5 Changed 10 years ago by broder

  • Resolution set to fixed
  • Status changed from assigned to closed

Fixed in r541

comment:6 Changed 10 years ago by broder

  • Resolution fixed deleted
  • Status changed from closed to reopened

Ok, that's a lie. The DNS server isn't currently serving an NS query for xvm.mit.edu correctly - it should be returning the NS record in the answer, not the authority.

comment:7 Changed 10 years ago by broder

  • Resolution set to fixed
  • Status changed from reopened to closed

I believe this is fixed in r582

Note: See TracTickets for help on using tickets.