 Question
about negative answers from the cache of BIND9
Hideshi Enokihara wrote:
>Hi all,
>
>I have a question about negative answer from the cache of BIND9.
>
>For example, I assume the following network.
>
>----------------
>
> example.org domain
> AP Server1 DNS Server2
> |A.example.org |NS2.example.org
> | |
>Net-y --+--------+----------+--
> |
> |
> |
> Router
> |
> |
> |
>Net-z --+--------+----------+---
> | |
> | |
> DNS Server1 (BIND9) DNS Cient1
>
>------------------
>
>In this network, I ran follwing steps.
>
>1.DNS Client1 send the query(QNAME=invalid.example.org, QTYPE=A)
to DNS Server1(BIND9).
>2.DNS Server1(BIND9) send the query to DNS Server2(Authoritative
server for example.org domain).
> #Of course, DNS Server1(BIND9) caches the authority server(DNS
Server2) of example.org. domain and the Address of DNS Server2.
>3.DNS Server2 send the response to DNS Server1(BIND9) with RCODE=3(NXDOMAIN).
>4.DNS Server1(BIND9) send the response to DNS Client1 with RCODE=3(NXDOMAIN).
>
>5.Once more DNS Client1 send the query (QNAME=invalid.example.org,
QTYPE=A) to DNS Server1(BIND9).
>6.DNS Server1(BIND9) send the response to DNS Client1 with RCODE=3(NXDOMAIN)
from cache.
>
>This sequence is follow.
>
> DNS Client1 DNS Server1(BIND9) DNS Server2
> | | |
> |----------------------------->| |
> | 1. Send standard query | |
> | QNAME=invalid.example.org | |
> | QTYPE=A | |
> | | |
> | |-------------------------------->|
> | | 2. Recv standard query |
> | | QNAME=invalid.example.org |
> | | QTYPE=A |
> | | |
> | |<--------------------------------|
> | | 3. Send standard query response |
> | | RCODE=3(NXDOMIN) |
> | | QNAME=invalid.example.org |
> | | QTYPE=A |
> | | AUTHORITY Name=example.org |
> | | AUTHORITY TYPE=SOA |
> | | |
> | | |
> | | |
> |<-----------------------------| |
> | 4. Standard query response | |
> | RCODE= 3(NXDOMIN) | |
> | QNAME=invalid.example.org | |
> | QTYPE=A | |
> | AUTHORITY Name=example.org | |
> | AUTHORITY TYPE=SOA | |
> | | |
> |----------------------------->| |
> | 5. Send standard query | |
> | QNAME=invalid.example.org | |
> | QTYPE=A | |
> | | |
> |<-----------------------------| |
> | 6. Standard query response | |
> | RCODE= 3(NXDOMIN) | |
> | QNAME= invalid.example.org | |
> | QTYPE=A | |
> | AUTHORITY Name=example.org | |
> | AUTHORITY TYPE=SOA | |
> | | |
> v v v
>
>I have a questin about step6.
>
>RFC2308 6 - Negative answers from the cache says,
>
> As with all answers coming from the cache, negative answers
SHOULD
> have an implicit referral built into the answer. This enables
the
> resolver to locate an authoritative source. An implicit referral
is
> characterised by NS records in the authority section referring
the
> resolver towards a authoritative source.
>
>This sentence means that DNS server should include NS record
in the
>authority section when DNS server send the negative answer from
the cache, right?
>
>But, DNS Server1(BIND9) does not include NS record in the authority
section at step6.
>Why does not includ NS record in the authority section when
BIND9 send
>the negative answer from the cache?
>
>I think this BIND9's behavior does not follow the RFC.
>How do you think?
>
Well, a SHOULD is not the same as a MUST, so there is technically
no RFC violation here.
However, as the reference implementation for DNS,
my curiosity is piqued as to why BIND, of all implementations, would
opt for default behavior that contravenes a SHOULD from the relevant
RFC.
- Kevin
|
 |
 Latest
articles
Slave
bind skips delegation record in master zone
Slave
zones not updating
SPF RRType
|
 |
 |
