[dns-operations] Reporting glue as authoritive data -- Bug!

Mark Andrews Mark_Andrews at isc.org
Thu Jan 31 22:16:17 UTC 2008

	As far as I can see, there was a problem observed and
	the nameservers were reverted and apart from trying to
	identify the clients that's were the analysis stopped.

	Glue is not the same as a cached answer as it not learnt
	from the authoritative source in a automatic manner.  It
	also does not timeout.  Returning glue as answers causes
	problems for people when that glue is out of date and the
	appears to be no process in place to ensure that glue gets
	corrected in a timely manner.

	It also causes problems to some DNSSEC validators.

	Also there does not appear to have been any analysis done
	to minimize the use of putting glue into the answer section.

	In Ed's ARPA case it won't be needed if the record is in
	the additional section ad BIND 4 and the BIND 8's which had
	the very small limits would continue if they saw the record
	in the additional section.

	Just not putting the record in the answer section if it is
	in the additional section would address a large amount of
	the issue.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the dns-operations mailing list