On 24. 2. 2014, at 13:40, Maren S. Leizaola <leizaola(a)hk.com> wrote:
On 2/24/2014 7:00 PM,
knot-dns-users-request(a)lists.nic.cz wrote:
Date: Mon, 24 Feb 2014 09:16:27 +0100
From: Jan Kadlec <jan.kadlec(a)nic.cz>
To: "Maren S. Leizaola" <leizaola(a)hk.com>
Cc: knot-dns-users(a)lists.nic.cz
Subject: Re: [knot-dns-users] GLUE and additional records.
Message-ID:
<1393229787.1717.12.camel(a)labs.jan.kadlec.ws.eth.1.office.nic.cz>
Content-Type: text/plain; charset="UTF-8"
Hello Maren and thanks for your report. Knot normally sends glue records
in additional section, it seems as if you might have encountered a bug.
Could you provide more data? One NS, A (AAAA) combination and a dig
output for this combination should be enough. Thanks again, Jan.
The environment is as follows. I host
hk.com on 6 DNS servers, right now 5 are bind and
one is Knot. hk.com's name servers are
a,b,c,d,e,f.udrtld.net b is running Knot.
Try this link
www.intodns.com/hk.com
This reports that B provides no glue. Please ignore the errors on f. i've yet not
setup
urdtld.net on it.
dig -cA
hk.com @b.udrtld.net
when I do a
dig -cA
hk.com @a.udrtld.net
Am I making any mistakes here?
Hi Maren,
as far as I remember the {a,b,c,d,e,f}.udrtld.net would be ignored by the (good behaving)
recursive servers because they don't come in the bailiwick of the queried zone.
So, since those records are not used anyway, we are slimming down the responses.
You may compare responses to:
dig
www.sury.org @pagan.rfc1925.org
- no GLUE since
pagan.rfc1925.org is not in the bailiwick of
www.sury.org
with
dig
www.rfc1925.org @pagan.rfc1925.org
- GLUE added since
pagan.rfc1925.org is in the bailiwick of (
www.)rfc1925.org and can be
used
You can read more about cache poisoning attacks, f.e. here:
http://www.linuxjournal.com/content/understanding-kaminskys-dns-bug
Or you can try yourself with unbound recursive server, set the verbosity to 3
(unbound-control verbosity 3), flush the zone cache (unbound-control flush_zone .) and ask
the server, you should be able to observe something like this:
Feb 24 14:00:52 unbound[16038:0] info: sanitize: removing potential poison RRset:
a.udrtld.net. A IN
Feb 24 14:00:52 unbound[16038:0] info: sanitize: removing potential poison RRset:
b.udrtld.net. A IN
Feb 24 14:00:52 unbound[16038:0] info: sanitize: removing potential poison RRset:
c.udrtld.net. A IN
Feb 24 14:00:52 unbound[16038:0] info: sanitize: removing potential poison RRset:
d.udrtld.net. A IN
Feb 24 14:00:52 unbound[16038:0] info: sanitize: removing potential poison RRset:
f.udrtld.net. A IN
in the syslog, and the recursive server will go and resolve the {a,...}.udrtld.net names
itself.
Ondrej
--
Ondřej Surý -- Chief Science Officer
-------------------------------------------
CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC
Americka 23, 120 00 Praha 2, Czech Republic
mailto:ondrej.sury@nic.cz
http://nic.cz/
tel:+420.222745110 fax:+420.222745112
-------------------------------------------