[dns-operations] extra records in resolver answer, any benefit?

Mark Andrews marka at isc.org
Wed Jan 28 00:10:28 UTC 2015


In message <B7C37977-A543-42E6-976A-E155102F9B32 at ogud.com>, Olafur Gudmundsson 
writes:
> 
> > On Jan 27, 2015, at 4:07 AM, Marek Vavrua <marek.vavrusa at nic.cz> wrote:
> > 
> > Hi, I was wondering if there's any operational benefit in including
> > records other than direct answer in resolver responses 1?  For
> > example, some recursors return authoritative NS records, SOA, glue,
> > etc., and some servers scrub them. I have utterly failed in finding
> > anything in the related RFCs to back this up, so I guess it's up to
> > implementors.
> > 
> > My reasoning is that the end user rarely needs anything but the direct
> > answer, maybe additional address records for MX, NS and such. But
> > presuming that most of the resolver traffic is 'IN A
> > www.populardomain.com'-like, and a lot of traffic originates from
> > congested mobile networks, it makes sense to me to return only minimal
> > possible responses.
> > Or am I wrong?
> > 
> > - Marek
> > 
> > 1 With the exception of SOA for NODATA and DNSSEC-related data.
> 
> The original reasoning was to save round trip times and network 
> bandwidth.  This does not hold any more as Dan Kaminsky showed us
> how to use extra data as cache poison via forged answers. 
> 
> In DNS referrals there is value for extra data when name servers are 
> below the zone cut.  In no other situation do I see value for
> application to see anything that is not in the first NON-empty response
> section. (i.e. either Answer or, Authority) 

Actually there is value:
* signed data is fine regardless of who gives it to you provided
  it validates as secure.
* with cookies same zone data is perfectly fine even if not signed.

> I have been thinking about shortening MX answers by only include the 
> Answer section and violate the server side processing of additional
> records. If Florian and Tony are right then that should be harmless.

"harmless" == "clients will cope" not "harmless" in terms of effiency.

> As in most cases these days mail servers are outside the domain. 
 
Lots of mail is still self hosted and if you really care about your
privacy you would self host.

>    Olafur
> 
> 
> 
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list