[dns-operations] extra records in resolver answer, any benefit?
marka at isc.org
Wed Jan 28 00:10:28 UTC 2015
In message <B7C37977-A543-42E6-976A-E155102F9B32 at ogud.com>, Olafur Gudmundsson
> > On Jan 27, 2015, at 4:07 AM, Marek Vavrua <marek.vavrusa at nic.cz> wrote:
> > Hi, I was wondering if there's any operational benefit in including
> > records other than direct answer in resolver responses 1? For
> > example, some recursors return authoritative NS records, SOA, glue,
> > etc., and some servers scrub them. I have utterly failed in finding
> > anything in the related RFCs to back this up, so I guess it's up to
> > implementors.
> > My reasoning is that the end user rarely needs anything but the direct
> > answer, maybe additional address records for MX, NS and such. But
> > presuming that most of the resolver traffic is 'IN A
> > www.populardomain.com'-like, and a lot of traffic originates from
> > congested mobile networks, it makes sense to me to return only minimal
> > possible responses.
> > Or am I wrong?
> > - Marek
> > 1 With the exception of SOA for NODATA and DNSSEC-related data.
> The original reasoning was to save round trip times and network
> bandwidth. This does not hold any more as Dan Kaminsky showed us
> how to use extra data as cache poison via forged answers.
> In DNS referrals there is value for extra data when name servers are
> below the zone cut. In no other situation do I see value for
> application to see anything that is not in the first NON-empty response
> section. (i.e. either Answer or, Authority)
Actually there is value:
* signed data is fine regardless of who gives it to you provided
it validates as secure.
* with cookies same zone data is perfectly fine even if not signed.
> I have been thinking about shortening MX answers by only include the
> Answer section and violate the server side processing of additional
> records. If Florian and Tony are right then that should be harmless.
"harmless" == "clients will cope" not "harmless" in terms of effiency.
> As in most cases these days mail servers are outside the domain.
Lots of mail is still self hosted and if you really care about your
privacy you would self host.
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> dns-jobs mailing list
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations