[dns-operations] Is there value to leaving additional-from-auth enabled?
wessels at dns-oarc.net
Fri Jan 30 23:51:11 UTC 2009
On Wed, 28 Jan 2009, David Coulthart wrote:
> and then with additional-from auth-disabled:
> $ dig @ext-ns2.columbia.edu. a www.heartsource.columbia.edu.
> ;; ANSWER SECTION:
> www.heartsource.columbia.edu. 3600 IN CNAME salk.cpmc.columbia.edu.
> ;; Query time: 1 msec
> ;; SERVER: 126.96.36.199#53(188.8.131.52)
> ;; WHEN: Wed Jan 28 14:31:23 2009
> ;; MSG SIZE rcvd: 70
> If I leave additional-from-auth enabled, does a recursive nameserver trust
> all of the data in the response or does it go out & look up the A record for
> the target of the CNAME to make sure it is right? If it's the former, then
> it seems like leaving additional-from-auth enabled does offer some
> performance benefit, while if it's the latter then it seems like it's just a
> waste of time. Or is there some other reasoning I should be considering?
I suppose the answer is implementation dependent but my guess would be that
the recursive nameserver trusts all the data, subject to the "in-bailiwick"
rules. That is, if your nameserver was queried because its authoritative
for columbia.edu, then the iterator should also trust the A record.
But if the iterator got to your nameserver because it is authoritative
for heartsource.columbia.edu, then it shouldn't trust the A record.
Thats my guess anyway. Maybe bind-users (or whatever) could give a
more confident answer.
More information about the dns-operations