[dns-operations] NS answer inconsistency between implementations for delegated zone

Peter van Dijk peter.van.dijk at netherlabs.nl
Fri Mar 16 18:53:42 UTC 2012


On Mar 16, 2012, at 15:04 , Peter van Dijk wrote:

> On Mar 16, 2012, at 14:54 , Tony Finch wrote:
>> Remi Gacogne <listes+dns-operations at valombre.net> wrote:
>>> I noticed a difference in the behavior of bind, powerdns (using bind or
>>> MySQL backend) and nsd regarding the answer to an NS query for a
>>> delegated zone. Powerdns is responding to the query by putting
>>> corresponding NS RRs into the ANSWER section, whereas bind and nsd are
>>> putting them into the AUTHORITY section.
>>> I am not sure what the correct answer is, as I haven't found a clear
>>> specification on this case yet.
>> BIND and NSD are correct. See RFC 2181 section 6.1.
> Thanks for the pointer! It turns out we have this issue in specific backend configurations. I've added a test to our test suite and am fixing the backends responsible.

PowerDNS now (as of SVN five minutes ago) does this correctly too. 

It turned out we only did it wrong with configurations that did not enable DNSSEC implicitly or explicitly - indeed, as Peter Koch said, this all became a lot more relevant with the advent of DNSSEC.

Kind regards,
Peter van Dijk

More information about the dns-operations mailing list