[dns-operations] behaviour of nameserver glue recs and TTL in referrals

Mark Andrews marka at isc.org
Sat Feb 14 21:05:01 UTC 2015 

In message <54DF82B7.2000502 at easydns.com>, "Mark E. Jeftovic" writes:
> 
> Is the ADDITIONAL section the functional equivalent of the ANSWER
> section in TLD roots now that most of them give out referrals when
> queried for glue? Or would it only be used if the resolver can't
> otherwise find the glue?

Nameservers should have always given out reverals when they are
asked queries that they only know as glue.  No, it is not functionally
equivalent.  

> Where does the TTL come from in the ADDITIONAL section and can it be
> modified by the superdomain operator of the nameserver?

It is set the same was as the ttl on any record is set and yes it
can be changed though most parent zone operators do not provide a
mechanism to do this.

Now if RFC 1034, Section 4.2 was followed fully the parent zone's ttl
would match that of the child zone.

"As the last installation step, the delegation NS RRs and glue RRs
necessary to make the delegation effective should be added to the parent
zone.  The administrators of both zones should insure that the NS and
glue RRs which mark both sides of the cut are consistent and remain so."

> In other words:
> 
> Marks-MacBook-Pro:~ markjeftovic1$ dig +norec ns6.zoneedit.co.uk @ns1.nic.uk
> 
> ; <<>> DiG 9.8.5-P1 <<>> +norec ns6.zoneedit.co.uk @ns1.nic.uk
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35872
> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
> 
> ;; QUESTION SECTION:
> ;ns6.zoneedit.co.uk.		IN	A
> 
> ;; AUTHORITY SECTION:
> zoneedit.co.uk.		172800	IN	NS	ns6.zoneedit.co.uk.
> zoneedit.co.uk.		172800	IN	NS	ns1.zoneedit.com.
> zoneedit.co.uk.		172800	IN	NS	ns3.zoneedit.com.
> zoneedit.co.uk.		172800	IN	NS	ns2.zoneedit.com.
> 
> ;; ADDITIONAL SECTION:
> ns6.zoneedit.co.uk.	172800	IN	A	166.88.18.59
> 
> ;; Query time: 177 msec
> ;; SERVER: 195.66.240.130#53(195.66.240.130)
> ;; WHEN: Sat Feb 14 11:49:10 EST 2015
> ;; MSG SIZE  rcvd: 132
> 
> Where are the TTLs in the AUTHORITY and ADDITIONAL sections coming from
> and can they be modified?

The ttls are set the same way as any the ttl of any other record
in the zone is set as the zone is loaded.  Delegating NS records
and glue records are not special in that respect.

> What factors would influence whether a resolver on a fresh query uses
> the TTL from the referral vs the one from the authoritative NS for the
> nameserver record itself?

The biggest factor is whether the authorative servers for the zone
add the NS records for the zone to the responses or not.  Recursives
servers do not generally initiate NS queries though a DNSSEC aware
server will do so when looking for the correct server to get DS
records from.  The NS records are learnt as a side effect of other
queries.

Mark

> Thanks.
> 
> - mark
> 
> -- 
> Mark E. Jeftovic <markjr at easydns.com>
> Founder & CEO, easyDNS Technologies Inc.
> +1-(416)-535-8672 ext 225
> Read my blog: http://markable.com
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list