[dns-operations] Is there value to leaving additional-from-auth enabled?

David Coulthart davec at columbia.edu
Wed Jan 28 20:11:27 UTC 2009 

With all of the recent discussion around the "isprime attack," I've  
been revisiting the configuration of my authoritative nameservers.  I  
clearly see why additional-from-cache should be disabled on an auth- 
only NS, but I'm still a bit unclear about additional-from-auth.   
Testing a very simple case whose response differs depending on whether  
additional-from-auth is enabled or not, the difference in query time I  
measured was negligible.  But this was done using a simple dig  
directly against the authoritative nameserver & doesn't examine the  
complete path of a query from a normal client.  The example was  
looking up the A record for a domain name which was in fact a CNAME  
pointing to a record in a different zone that the same nameserver is  
authoritative for.  Specifically, with additional-from-auth enabled:

$ dig @ext-ns2.columbia.edu. a www.heartsource.columbia.edu.
...
;; ANSWER SECTION:
www.heartsource.columbia.edu. 3600 IN	CNAME	salk.cpmc.columbia.edu.
salk.cpmc.columbia.edu.	3600	IN	A	156.111.235.67

;; AUTHORITY SECTION:
cpmc.columbia.edu.	3600	IN	NS	bc-dns10.cpmc.columbia.edu.
cpmc.columbia.edu.	3600	IN	NS	bc-dns20.cpmc.columbia.edu.

;; ADDITIONAL SECTION:
bc-dns10.cpmc.columbia.edu. 3600 IN	A	156.111.60.150
bc-dns20.cpmc.columbia.edu. 3600 IN	A	156.111.70.150

;; Query time: 2 msec
;; SERVER: 128.59.62.15#53(128.59.62.15)
;; WHEN: Wed Jan 28 14:30:16 2009
;; MSG SIZE  rcvd: 164

and then with additional-from auth-disabled:

$ dig @ext-ns2.columbia.edu. a www.heartsource.columbia.edu.
;; ANSWER SECTION:
www.heartsource.columbia.edu. 3600 IN	CNAME	salk.cpmc.columbia.edu.

;; Query time: 1 msec
;; SERVER: 128.59.62.15#53(128.59.62.15)
;; WHEN: Wed Jan 28 14:31:23 2009
;; MSG SIZE  rcvd: 70


If I leave additional-from-auth enabled, does a recursive nameserver  
trust all of the data in the response or does it go out & look up the  
A record for the target of the CNAME to make sure it is right?  If  
it's the former, then it seems like leaving additional-from-auth  
enabled does offer some performance benefit, while if it's the latter  
then it seems like it's just a waste of time.  Or is there some other  
reasoning I should be considering?

Thanks,
Dave C.

More information about the dns-operations mailing list