[dns-operations] NS records in Authority for NOERROR responses

Shane Kerr shane at time-travellers.org
Wed Sep 23 08:48:39 UTC 2015


On Mon, 21 Sep 2015 16:53:31 +0200
Jan Včelák <jan.vcelak at nic.cz> wrote:
> > 
> > does any validating recursive server detect this condition and do the
> > extra query today?
> I did a small research:
> - BIND trusts glue. 
> - Unbound trusts glue unless 'harden-referral-path' is enabled. The
>   default is off and it's documented to "burden authoritative servers"
>   and "could cause performance problems". I don't fully agree with that
>   and I think it could be enabled by default. (Btw, it's enabled by
>   default in Fedora and Red Hat.)
> - Knot DNS Resolver explicitly asks for the NS record and doesn't
>   "trust" the glue (the project is work-in-progress, I tried the last
>   version from the repo).
> I'm not aware of any other open-source resolver doing validation.
> (Dnsmasq is out of the game as it can do the validation but can't do
> the full recursion, just query forwarding.)

Thanks for the research! :)

Did you have a look at the actual traffic? I'm curious what the impact
is on packet county and latency (if any).



More information about the dns-operations mailing list