ignored glue
Kevin Darcy
kcd at daimlerchrysler.com
Tue Oct 3 19:26:10 UTC 2000
I think the official answer to this is that BIND 8 lacks "query restart",
that is to say, named will not issue another sysquery in response to a
previous sysquery. Keeping track of nested sysqueries was apparently
difficult to implement within the code structure of BIND 8 (or lack
thereof).
The implication, which I have not personally verified, is that BIND 9
*does* have query restart.
Note that this behavior of BIND 8 is not _usually_ a showstopper, since the
resolver will generally retry the query if it doesn't get an answer. If all
the nameserver needs is an A record to fill into the additional section,
then that takes only a single sysquery, which named can deal with and
return the full answer to the client.
- Kevin
jfc at mit.edu wrote:
> Recent versions of BIND named will drop additional records giving the
> addresses of nameservers if the nameservers are not within the domain
> of the question. Suppose BIND wants to find the address of a.b.c.d
> and gets this response:
> Q A? a.b.c.d
> AN (empty)
> AU NS e.c.d
> AR e.c.d A 1.2.3.4
> named will ignore the nameserver address because e.c.d isn't in the same
> domain as a.b.c.d. If the address of e.c.d isn't cached the original
> request for a.b.c.d will be dropped and named will attempt to resolve
> the namserver address in the usual way hoping that the client will
> timeout and retransmit the request after named learns the address.
>
> 1. Is this required by the RFCs? RFC 2181 5.4.1 says that the address
> in this case is in the least trustworthy category of data, but only
> requires that it not be returned as an answer. There seems to be no
> prohibition on using the address other than as an answer.
>
> 2. Would there be any security problem if named did forward the request
> to address 1.2.3.4? If the server were going to lie, it could just as
> easily give a false domain name in the NS record.
>
> 3. Do other nameservers act the same? When did this feature
> get added to BIND?
>
> --
> John Carr (jfc at mit.edu)
More information about the bind-users
mailing list