[dns-operations] about the ADDITIONAL SECTION

Jared Mauch jared at puck.nether.net
Fri Jun 28 02:22:41 UTC 2013


On Jun 27, 2013, at 10:04 PM, Feng He <fenghe at nsbeta.info> wrote:

> Hi,
> 
> Sorry for my not good english.
> Says I have a domain a.com, whose NS records are:
> ns1.b.com
> ns2.b.com
> 
> But b.com is not auth-resolved by my nameserver, for example, its auth-servers are registrar's.
> 
> a.com is auth-resolved by my own nameservers, the NS records look as:
> 
> a.com.             111    IN      NS      ns1.b.com.
> a.com.             111    IN      NS      ns2.b.com.
> 
> But, if I add the zone b.com into the nameservers' zone file (though the zone is not auth-resolved by my servers as I've said), and setup the A records with fake IP for ns1.b.com and ns2.b.com. When query for:
> dig a.com ns

You don't want to do this any more.  That hasn't been necessary for maybe 15 years now.  Your software should also log an error/warning if you do it.

> The nameservers will answer with the additional section whose content is the fake IPs.
> 
> ;; ANSWER SECTION:
> a.com.            111     IN      NS      ns1.b.com.
> a.com.            111     IN      NS      ns2.b.com.
> 
> ;; ADDITIONAL SECTION:
> ns1.b.com.     111     IN      A       1.2.3.4
> ns2.b.com.     111     IN      A       5.6.7.8
> 
> Will this make the world's DNS cache not work? i.e, the ISP's public DNS servers.

It should not impact most of them.  Anyone that isn't fetching this themselves and trusting what they receive is asking for trouble.  

http://www.kb.cert.org/vuls/id/418861

Is one fix.

- Jared


More information about the dns-operations mailing list