[dns-operations] Is there value to leaving additional-from-auth enabled?

Duane Wessels wessels at dns-oarc.net
Fri Jan 30 23:51:11 UTC 2009

On Wed, 28 Jan 2009, David Coulthart wrote:

> and then with additional-from auth-disabled:
> $ dig @ext-ns2.columbia.edu. a www.heartsource.columbia.edu.
> www.heartsource.columbia.edu. 3600 IN	CNAME	salk.cpmc.columbia.edu.
> ;; Query time: 1 msec
> ;; SERVER:
> ;; WHEN: Wed Jan 28 14:31:23 2009
> ;; MSG SIZE  rcvd: 70
> If I leave additional-from-auth enabled, does a recursive nameserver trust 
> all of the data in the response or does it go out & look up the A record for 
> the target of the CNAME to make sure it is right?  If it's the former, then 
> it seems like leaving additional-from-auth enabled does offer some 
> performance benefit, while if it's the latter then it seems like it's just a 
> waste of time.  Or is there some other reasoning I should be considering?

Hi David,

I suppose the answer is implementation dependent but my guess would be that
the recursive nameserver trusts all the data, subject to the "in-bailiwick"
rules.  That is, if your nameserver was queried because its authoritative
for columbia.edu, then the iterator should also trust the A record.

But if the iterator got to your nameserver because it is authoritative
for heartsource.columbia.edu, then it shouldn't trust the A record.

Thats my guess anyway.  Maybe bind-users (or whatever) could give a
more confident answer.


More information about the dns-operations mailing list