15 Čen
2015
15 Čen
'15
22:12
Hi,
We've been running Knot 1.6.3 as a slave server and it's been working well.
However, I notice that a "dig" against this slave for a domain does not return
an "ADDITIONAL" section, but the same query against another slave that runs BIND
does return one. I couldn't find any Knot configuration directive that would control
this. Is there something I missed or additional configuration needed elsewhere to make the
ADDITIONAL info available?
Thanks,
Chuck
15 Čen
15 Čen
22:43
Hi Charles,
this is hard to say without a specific example, but generally the Knot DNS is trying to
send minimal usable response that doesn't include resource records that won't be
used by modern resolvers.
The modern resolvers generally throw away any records that are not within very strict
bailiwick (e.g. anything extra that resolver hasn't asked for will be discarded). If
you can give us an example of such responses we can decode why the records won't be
used by resolvers (or whether it is really bug in Knot DNS).
Cheers,
Ondřej
On June 15, 2015 10:12:14 PM GMT+02:00, Charles Musser <cmusser(a)sonic.net> wrote:
Hi,
We've been running Knot 1.6.3 as a slave server and it's been working
well. However, I notice that a "dig" against this slave for a domain
does not return an "ADDITIONAL" section, but the same query against
another slave that runs BIND does return one. I couldn't find any Knot
configuration directive that would control this. Is there something I
missed or additional configuration needed elsewhere to make the
ADDITIONAL info available?
Thanks,
Chuck
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
16 Čen
16 Čen
0:20
On Jun 15, 2015, at 1:43 PM, Ondřej Surý
<ondrej.sury(a)nic.cz> wrote:
Hi Charles,
this is hard to say without a specific example, but generally the Knot DNS is trying to
send minimal usable response that doesn't include resource records that won't be
used by modern resolvers.
The modern resolvers generally throw away any records that are not within very strict
bailiwick (e.g. anything extra that resolver hasn't asked for will be discarded). If
you can give us an example of such responses we can decode why the records won't be
used by resolvers (or whether it is really bug in Knot DNS).
The specific information that BIND returns is a list of A records that list our name
servers and their IP addresses. I'm not sure how it decides to send this particular
information, but it does. It has a set of config directives that control generally whether
additional information is sent.
It may be that we don't want to send additional information. At least one person on
the BIND mailing list expressed opinions similar to what you're saying: authoritative
servers should only respond with what was requested (and not send additional data). If
that data is sent for every request and not used, then that's wasteful.
Chuck
8:57
Hi Charles,
generally speaking - if the stuff in ADDITIONAL section is not inside the domain you are
asking (and at the same level) it should not be used by secure resolver.
You can see exact example at my personal domain name: rfc1925.org.
Try asking:
# kdig IN A www.rfc1925.org @master.dns.rocks
- this is Knot DNS and it will only return ANSWER and AUTHORITY section because neither
trubka.network.cz nor master.dns.rock falls within "rfc1925.org" bailiwick.
# kdig IN A www.rfc1925.org @trubka.network.cz
- this server is running BIND and it will return all kind of (useless) stuff in ADDITIONAL
section. Why the data cannot be used? Data for "trubka.network.cz" is not in
the bailiwick (and if you are querying this server you already know the answer), data for
"master.dns.rocks" cannot be used, because the resolver have no idea if
"trubka.network.cz" is also authoritative server for "dns.rocks"
unless the resolver also does the bottom-up lookup for the "master.dns.rocks" -
and in that case you would also already know the answer.
On the other hand, there are legitimate uses of ADDITIONAL section, see this query:
# kdig IN SOA dns.rocks @master.dns.rocks
This query returns IPv4/v6 addresses of master.dns.rocks in ADDITIONAL section because
they are in the bailiwick of the dns.rocks zone (and at the same level - that means the
resolver can be sure the name is not delegated elsewhere).
The other legitimate use is providing GLUE records in the parent zone.
Cheers,
--
Ondřej Surý -- Chief Science Officer
--------------------------------------------
CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC
Milesovska 5, 130 00 Praha 3, Czech Republic
mailto:ondrej.sury@nic.cz https://nic.cz/
--------------------------------------------
----- Original Message -----
From: "Charles Musser"
<cmusser(a)sonic.net>
To: knot-dns-users(a)lists.nic.cz
Sent: Tuesday, June 16, 2015 12:20:45 AM
Subject: Re: [knot-dns-users] Additional section
On Jun 15,
2015, at 1:43 PM, Ondřej Surý <ondrej.sury(a)nic.cz> wrote:
Hi Charles,
this is hard to say without a specific example, but generally the Knot DNS is
trying to send minimal usable response that doesn't include resource records
that won't be used by modern resolvers.
The modern resolvers generally throw away any records that are not within very
strict bailiwick (e.g. anything extra that resolver hasn't asked for will be
discarded). If you can give us an example of such responses we can decode why
the records won't be used by resolvers (or whether it is really bug in Knot
DNS).
The specific information that BIND returns is a list of A records that list our
name servers and their IP addresses. I'm not sure how it decides to send this
particular information, but it does. It has a set of config directives that
control generally whether additional information is sent.
It may be that we don't want to send additional information. At least one person
on the BIND mailing list expressed opinions similar to what you're saying:
authoritative servers should only respond with what was requested (and not send
additional data). If that data is sent for every request and not used, then
that's wasteful.
Chuck
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
3449
days inactive
3450
days old
3 comments
2 participants
participants (2)
-
Charles Musser -
Ondřej Surý