[Pdns-users] NS answer inconsistency between implementations for delegated zone

ktm at rice.edu ktm at rice.edu
Fri Mar 16 13:54:01 UTC 2012 

On Fri, Mar 16, 2012 at 02:31:34PM +0100, Remi Gacogne wrote:
> 
> Hi,
> 
> I noticed a difference in the behavior of bind, powerdns (using bind
> or MySQL backend) and nsd regarding the answer to an NS query
> for a delegated zone. Powerdns is responding to the query by putting
> corresponding NS RRs into the ANSWER section,
> whereas bind and nsd are putting them into the AUTHORITY section.
> 
> I am not sure what the correct answer is, as I haven't found a clear
> specification on this case yet.
> 
> RFC 1034 states that (3.7 Queries):
> 
> "Answer          Carries RRs which directly answer the query.
> 
> Authority       Carries RRs which describe other authoritative servers.
>                 May optionally carry the SOA RR for the authoritative
>                 data in the answer section."
> 
> But in this case, one could argue that NS RRs directly answer the
> query AND describe other authoritative servers, if I'm not mistaken.
> 
> Powerdns response:
> 
> $  drill ns info.example.com
> ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 57206
> ;; flags: qr rd ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUESTION SECTION:
> ;; info.example.com.    IN      NS
> 
> ;; ANSWER SECTION:
> info.example.com.       7200    IN      NS      ns1.other.net.
> info.example.com.       7200    IN      NS      ns2.other.net.
> 
> ;; AUTHORITY SECTION:
> 
> ;; ADDITIONAL SECTION:
> 
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1
> ;; WHEN: Fri Mar 16 14:04:32 2012
> ;; MSG SIZE  rcvd: 79
> 
> Bind and NSD response:
> 
> $  drill ns info.example.com
> ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 41836
> ;; flags: qr rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
> ;; QUESTION SECTION:
> ;; info.example.com.    IN      NS
> 
> ;; ANSWER SECTION:
> 
> ;; AUTHORITY SECTION:
> info.example.com.       7200    IN      NS      ns1.other.net.
> info.example.com.       7200    IN      NS      ns2.other.net.
> 
> ;; ADDITIONAL SECTION:
> 
> ;; Query time: 47 msec
> ;; SERVER: 217.0.0.1
> ;; WHEN: Fri Mar 16 14:12:26 2012
> ;; MSG SIZE  rcvd: 79
> 
> 
> Entire zone configuration:
> 
> $TTL 2d ; default TTL is 2 days
> $ORIGIN example.com.
> @              IN      SOA   ns1.isp.net. hostmaster.example.com. (
>                2003080800 ; serial number
>                2h         ; refresh =  2 hours
>                15M        ; update retry = 15 minutes
>                3W12h      ; expiry = 3 weeks + 12 hours
>                2h20M      ; minimum = 2 hours + 20 minutes
>                )
> 
> 
> info.example.com.       7200    IN      NS      ns1.other.net.
> info.example.com.       7200    IN      NS      ns2.other.net.
> example.com.    7200    IN      NS      ns0.isp.net.
> example.com.    7200    IN      NS      ns1.isp.net.
> 
> Regards,
> 
> Rémi Gacogne
> 
> 

The records returned are the RRs to actually answer the query so having them
in the answer section seems appropriate although apparently returning them
in the authority section works as well. The tie breaker for me is that a
Microsoft AD server returns them in the same form as PDNS but I suspect that
it really does not matter much.

Cheers,
Ken

More information about the Pdns-users mailing list