[Pdns-users] [Fwd: Re: DiG: Hopefully Final Thoughts..]
Brian Candler
b.candler at pobox.com
Mon Feb 20 18:16:14 UTC 2017
On 20/02/2017 00:38, stancs3 wrote:
> I have attached the remaining thing I cannot resolve (no pun).
>
> 1. The test above the ===== line is:
>
> Recursor listening on port 53, forwarding to auth server listening on
> port 5300.
>
> Dig of NS replies with no Additional section.
> Dig of ns1 replies with the A record.
>
>
>
> 2. The test below the ===== line is:
>
> No recursor, auth server listening on port 53.
>
> Dig of NS replies with Additional section showing the A records for
> both NSs.
This is correct behaviour.
The "additional" section is for glue records, and they are only needed
for a resolver talking to an authoritative server, and only in a special
circumstance. They solve the chicken-and-egg problem: if you are
resolving a name within domain EXAMPLE.COM, and the delegation is to
NS1.EXAMPLE.COM, then you need to send the query to NS1.EXAMPLE.COM. But
to send a packet, you need an address to send it to. And in order to
find the address of NS1.EXAMPLE.COM you need to talk to the nameservers
for EXAMPLE.COM!
The glue records give a hint as to what addresses to try, when the
delegation is to a nameserver whose name is within the zone being queried.
However, when a client is talking to a resolver, it does not need to see
glue. It just sees the answer (or lack of answer). It's the resolver's
job to contact authoritative nameserver(s) on its behalf.
Regards,
Brian.
More information about the Pdns-users
mailing list