Hello.
There has been a rather long discussion about the change in TC flag
setting for glue records after the Knot DNS 2.1.1 release. Based on the
feedback, we have decided to tune the server's behavior a little bit.
First of all, the definitions for "glue" differ and the recent RFC 7719
(DNS Terminology) doesn't help. So just to make this absolutely clear,
let's define "mandatory glue": Mandatory glue are non-authoritative
address records for the name servers in the delegation and within the
bailiwick of that delegation.
RFC 1034 Section 4.3.2 [1] describes the algorithm for response
construction. As per step 3.b, we include mandatory glue into the
additional section. If it doesn't fit, the TC flag is set. And as per
step 6., we include other authoritative address records for name servers
in the delegation. If these records don't fit, the TC flag is not set.
[1]
https://tools.ietf.org/html/rfc1034#section-4.3.2
Let's show that on an example. Consider the following zone:
$ORIGIN tc.test.
@ SOA ns admin 1 60 60 1800 60
ns AAAA 2001:DB8::1
foo NS ns.foo
ns.foo AAAA 2001:DB8::10
bar NS bar
NS a.ns.bar
NS b.ns.bar
NS ns.foo
NS ns
NS foo.test.
bar AAAA 2001:DB8::20
a.ns.bar AAAA 2001:DB8::30
Now query for
www.bar.tc.test would result in a response with
delegation. The authority section would contain NS records for
bar.tc.test. And the additional section will contain address records for
following names as follows:
- bar required (mandatory glue)
- a.ns.bar required (mandatory glue)
- ns optional (authoritative record, possibly with RRSIG)
- b.ns.bar omitted (mandatory glue but unavailable)
- ns.foo omitted (non-authoritative outside bailiwick)
- foo.test omitted (non-authoritative outside zone)
So what do you think? Is it better? This change is already included in
the master branch (in case you want to test it). But there is still some
time to change it before the next release.
Best regards,
Jan