"Unrelated Additional Info" from Windows 2000 Active Director y servers

Mark_Andrews at isc.org Mark_Andrews at isc.org
Fri Oct 5 01:23:19 UTC 2001 

> In article <9pilbl$rff at pub3.rc.vix.com>, O'Neil,Kevin <oneil at oclc.org> wrote:
> >Here's the dig:
> >
> >net-thing 37 /tftpboot: dig soa metka-t.oa.oclc.org
> >
> >; <<>> DiG 8.3 <<>> soa metka-t.oa.oclc.org 
> >;; res options: init recurs defnam dnsrch
> >;; got answer:
> >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
> >;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> >;; QUERY SECTION:
> >;;      metka-t.oa.oclc.org, type = SOA, class = IN
> >
> >;; AUTHORITY SECTION:
> >oa.oclc.org.            1H IN SOA       oa1-server.oa.oclc.org.
> >administrator.oa.oclc.org. (
> >                                        47625           ; serial
> >                                        15M             ; refresh
> >                                        10M             ; retry
> >                                        1D              ; expiry
> >                                        15M )           ; minimum
> >
> >
> >;; ADDITIONAL SECTION:
> >oa1-server.oa.oclc.org.  1H IN A  132.174.29.60
> >
> >;; Total query time: 7 msec
> >;; FROM: net-thing to SERVER: default -- 132.174.47.100
> >;; WHEN: Thu Oct  4 16:00:46 2001
> >;; MSG SIZE  sent: 37  rcvd: 114
> 
> What BIND is warning about is that there's no requirement to include the A
> record for the SOA MNAME in the Additional Records section.  I suspect that
> Microsoft DNS does it for the benefit of dynamic update clients; since
> updates should be sent to the master server, they would need to do that A
> query right after the SOA query (this is the same reason that related A
> records are returned in MX or NS queries).

	Updates should be sent to the nameservers listed in the NS RRset.
	If the MNAME matches one of the listed nameservers it should be
	tried first.  The reason for this is to allow update to work
	through firewalls to stealth masters.

	The slaves forward the update (via the zone transfer graph),
	potentially changing only the id, and the response is sent back
	correcting the id if required.  TSIG does NOT cover id specifically
	to allow this to work.

	Before you tell us about nsupdate in bind 9 being broken, we know.

> 
> >I don't think that it's something to be concerned with.  And there doesn't
> >seem to be anything to be done about it.
> 
> I suspect the reason for the warning is that inappropriate additional info
> can be a source of cache poisoning.  I presume that the warning implies
> that the unrelated records are being ignored, so the server complaining is
> safe.
> 
> -- 
> Barry Margolin, barmar at genuity.net
> Genuity, Woburn, MA
> *** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
> Please DON'T copy followups to me -- I'll assume it wasn't posted to the grou
> p.
> 
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org

More information about the bind-users mailing list