[dns-operations] Reporting glue as authoritive data -- Bug!

Lutz Donnerhacke lutz at iks-jena.de
Mon Jan 28 09:42:47 UTC 2008

* Stephane Bortzmeyer wrote:
> IMHO, this is RFC 1034, section 4.3.2. It says "If a match would take
> us out of the authoritative data, we have a referral. [...] Put
> whatever addresses are available into the additional section, using
> glue RRs if the addresses are not available from authoritative data or
> the cache." In the example given ('dig @f.gtld-servers.net A
> ns1.crsnic.net.') we are "out of the authoritative data".
> I agree that RFC 1034, 3.7 says "Answer [section] Carries RRs which
> directly answer the query." introduces ambiguity since, in the example
> given, the A record directly answers a query.
> Work for the IETF "DNS extensions" working group, which is currently
> busy on a "profile" RFC? (See the attached message.)

Usually DNSSEC helps to solve such ambigous situations: Glue is not signed
and therefor not to be returned in the answer section.

More information about the dns-operations mailing list