[dns-operations] NS records in Authority for NOERROR responses
Shane Kerr
shane at time-travellers.org
Wed Sep 23 08:48:39 UTC 2015
Jan,
On Mon, 21 Sep 2015 16:53:31 +0200
Jan Včelák <jan.vcelak at nic.cz> wrote:
> >
> > does any validating recursive server detect this condition and do the
> > extra query today?
>
> I did a small research:
>
> - BIND trusts glue.
>
> - Unbound trusts glue unless 'harden-referral-path' is enabled. The
> default is off and it's documented to "burden authoritative servers"
> and "could cause performance problems". I don't fully agree with that
> and I think it could be enabled by default. (Btw, it's enabled by
> default in Fedora and Red Hat.)
>
> - Knot DNS Resolver explicitly asks for the NS record and doesn't
> "trust" the glue (the project is work-in-progress, I tried the last
> version from the repo).
>
> I'm not aware of any other open-source resolver doing validation.
> (Dnsmasq is out of the game as it can do the validation but can't do
> the full recursion, just query forwarding.)
Thanks for the research! :)
Did you have a look at the actual traffic? I'm curious what the impact
is on packet county and latency (if any).
Cheers,
--
Shane
More information about the dns-operations
mailing list