[dns-operations] about the ADDITIONAL SECTION

Mark Andrews marka at isc.org
Fri Jun 28 03:45:48 UTC 2013


In message <51CCEF49.8030003 at nsbeta.info>, Feng He writes:
> Hi,
> 
> Sorry for my not good english.
> Says I have a domain a.com, whose NS records are:
> ns1.b.com
> ns2.b.com
> 
> But b.com is not auth-resolved by my nameserver, for example, its 
> auth-servers are registrar's.
> 
> a.com is auth-resolved by my own nameservers, the NS records look as:
> 
> a.com.             111    IN      NS      ns1.b.com.
> a.com.             111    IN      NS      ns2.b.com.

This is expected and good. 
 
> But, if I add the zone b.com into the nameservers' zone file (though the 
> zone is not auth-resolved by my servers as I've said), and setup the A 
> records with fake IP for ns1.b.com and ns2.b.com. When query for:
> dig a.com ns

Do not do this.  This is bad.
 
> The nameservers will answer with the additional section whose content is 
> the fake IPs.
> 
> ;; ANSWER SECTION:
> a.com.            111     IN      NS      ns1.b.com.
> a.com.            111     IN      NS      ns2.b.com.
> 
> ;; ADDITIONAL SECTION:
> ns1.b.com.     111     IN      A       1.2.3.4
> ns2.b.com.     111     IN      A       5.6.7.8
> 
> Will this make the world's DNS cache not work? i.e, the ISP's public DNS 
> servers.
> 
> Thanks.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list