[dns-operations] Discarding bad records from an AXFR
Jared Mauch
jared at puck.nether.net
Tue Jul 30 21:00:06 UTC 2013
On Jul 30, 2013, at 4:55 PM, Anand Buddhdev <anandb at ripe.net> wrote:
> BIND is trying to pass on the zone unchanged, but will of course not
> serve any out-of-zone records. Knot will not serve out-of-zone records,
> but will not pass them on either.
>
> What do you all think is the correct behaviour? Or are both correct?
>
> PS. I realise that Knot's behaviour could break a DNSSEC-signed zone,
> but then, no sane signer will sign a zone with out-of-zone records, so
> that the process of signing a zone would force the operator to clean up
> their zone.
Honestly, anyone sticking out-of-zone information in their zone needs to be
sent back to the 1980s or early 1990s where they belong. I've long been in
favor of breaking zones that do "invalid" things.
I set check-names fail on master zones and warn on slave zones that I serve.
This would be something where I would expect a modern master server to treat
it as a fatal error and the slave to ignore (both bind and knot are) them in
the slave. As far as saving to disk? I think the data is out of scope and
should not be written to disk, as it's just junk data.
- Jared
More information about the dns-operations
mailing list