[dns-operations] extra records in resolver answer, any benefit?
Olafur Gudmundsson
ogud at ogud.com
Tue Jan 27 21:22:11 UTC 2015
> On Jan 27, 2015, at 4:07 AM, Marek Vavruša <marek.vavrusa at nic.cz> wrote:
>
> Hi, I was wondering if there's any operational benefit in including
> records other than direct answer in resolver responses [1]? For
> example, some recursors return authoritative NS records, SOA, glue,
> etc., and some servers scrub them. I have utterly failed in finding
> anything in the related RFCs to back this up, so I guess it's up to
> implementors.
>
> My reasoning is that the end user rarely needs anything but the direct
> answer, maybe additional address records for MX, NS and such. But
> presuming that most of the resolver traffic is 'IN A
> www.populardomain.com'-like, and a lot of traffic originates from
> congested mobile networks, it makes sense to me to return only minimal
> possible responses.
> Or am I wrong?
>
> - Marek
>
> [1] With the exception of SOA for NODATA and DNSSEC-related data.
The original reasoning was to save round trip times and network bandwidth.
This does not hold any more as Dan Kaminsky showed us how to use extra data as
cache poison via forged answers.
In DNS referrals there is value for extra data when name servers are below the zone cut.
In no other situation do I see value for application to see anything that is not
in the first NON-empty response section. (i.e. either Answer or, Authority)
I have been thinking about shortening MX answers by only include the Answer section and
violate the server side processing of additional records. If Florian and Tony are right then that should be
harmless. As in most cases these days mail servers are outside the domain.
Olafur
More information about the dns-operations
mailing list