[dns-operations] NS records in Authority for NOERROR responses

Jan Včelák jan.vcelak at nic.cz
Mon Sep 21 14:53:31 UTC 2015


Hello,

On Friday, September 04, 2015 07:40:42 PM Paul Vixie wrote:
> >> the extra round trip per delegation-crossing you're proposing sounds
> >> expensive to me, compared with having the zone include its apex NS RRset
> >> as BIND does today.
> > 
> > Yes, it's one more RTT. It will get cached though...
> 
> does any validating recursive server detect this condition and do the
> extra query today?

I did a small research:

- BIND trusts glue. 

- Unbound trusts glue unless 'harden-referral-path' is enabled. The default
  is off and it's documented to "burden authoritative servers" and "could
  cause performance problems". I don't fully agree with that and I think it
  could be enabled by default. (Btw, it's enabled by default in Fedora and
  Red Hat.)

- Knot DNS Resolver explicitly asks for the NS record and doesn't "trust" the
  glue (the project is work-in-progress, I tried the last version from the
  repo).

I'm not aware of any other open-source resolver doing validation. (Dnsmasq is 
out of the game as it can do the validation but can't do the full recursion, 
just query forwarding.)

I also tried a similar experiment with Google resolvers. I set up a secure 
delegation in my testing zone. The NS record in the parent zone pointed to a 
name in the authority of the child zone. The authoritative server for the 
child zone was assigned two IP addresses - the first one was used in the glue 
record in the parent zone, the second one was used in the child zone in the 
authoritative record.

Then I started asking a Google resolver for names in the child zone. No matter 
what I did, the resolver was contacting my server only on the address from the 
glue. I also tried asking the resolver for the address of the name server, but 
still all subsequent queries were happening on the address from the glue. And 
yes, I tried both with Knot DNS and BIND on the authoritative. So adding the 
NS into NOERROR responses seems not to help at least for Google resolvers.

Best regards,

Jan



More information about the dns-operations mailing list