[dns-operations] Discarding bad records from an AXFR

Anand Buddhdev anandb at ripe.net
Tue Jul 30 20:55:19 UTC 2013

Hello DNS experts,

I am seeking opinion about an aspect of AXFR.  Let's start with what
BIND does. When configured as a slave, and receiving an AXFR, if there
are out-of-zone records in the zone, BIND excludes them from its
in-memory copy of the zone. However it *does* save the entire zone to
disk, including the bad records. When a downstream slave asks this
instance of BIND for an AXFR, it provides the complete zone, including
the bad records.

Now I'm looking at Knot DNS 1.3.0-rc5. When it receives an AXFR with
out-of-zone records, it discards them, completely. So when it saves the
zone to the disk, the out-of-zone records are not saved, and if a client
asks this instance of Knot for an AXFR for this zone, the client will
receive Knot's sanitised copy of the zone.

I can see the positive and negative sides to both approaches, and since
RFC 5936 (AXFR) does not say anything specific about how to treat bad
records in a zone, both BIND and Knot are doing what they think is right.

BIND is trying to pass on the zone unchanged, but will of course not
serve any out-of-zone records. Knot will not serve out-of-zone records,
but will not pass them on either.

What do you all think is the correct behaviour? Or are both correct?

PS. I realise that Knot's behaviour could break a DNSSEC-signed zone,
but then, no sane signer will sign a zone with out-of-zone records, so
that the process of signing a zone would force the operator to clean up
their zone.


Anand Buddhdev

More information about the dns-operations mailing list