[dns-operations] about the ADDITIONAL SECTION
Jared Mauch
jared at puck.nether.net
Fri Jun 28 02:22:41 UTC 2013
On Jun 27, 2013, at 10:04 PM, Feng He <fenghe at nsbeta.info> wrote:
> Hi,
>
> Sorry for my not good english.
> Says I have a domain a.com, whose NS records are:
> ns1.b.com
> ns2.b.com
>
> But b.com is not auth-resolved by my nameserver, for example, its auth-servers are registrar's.
>
> a.com is auth-resolved by my own nameservers, the NS records look as:
>
> a.com. 111 IN NS ns1.b.com.
> a.com. 111 IN NS ns2.b.com.
>
> But, if I add the zone b.com into the nameservers' zone file (though the zone is not auth-resolved by my servers as I've said), and setup the A records with fake IP for ns1.b.com and ns2.b.com. When query for:
> dig a.com ns
You don't want to do this any more. That hasn't been necessary for maybe 15 years now. Your software should also log an error/warning if you do it.
> The nameservers will answer with the additional section whose content is the fake IPs.
>
> ;; ANSWER SECTION:
> a.com. 111 IN NS ns1.b.com.
> a.com. 111 IN NS ns2.b.com.
>
> ;; ADDITIONAL SECTION:
> ns1.b.com. 111 IN A 1.2.3.4
> ns2.b.com. 111 IN A 5.6.7.8
>
> Will this make the world's DNS cache not work? i.e, the ISP's public DNS servers.
It should not impact most of them. Anyone that isn't fetching this themselves and trusting what they receive is asking for trouble.
http://www.kb.cert.org/vuls/id/418861
Is one fix.
- Jared
More information about the dns-operations
mailing list