On 7/8/2011 3:04 AM, Chris Buxton wrote:
On Jul 7, 2011, at 6:32 PM, Feng He wrote:
2011/7/8 Kevin Darcy<k...@chrysler.com>:
I think it's worth emphasizing that in the first case, the contents of the
Authority Section were *mandatory* (see RFC 2308, Negative Caching), whereas
in the second case the authoritative nameserver was *optionally* providing
NS records in the Authority Section. It could have legally left the
Authority Section completely empty, and in fact many load-balancers,
pretending (to various degrees of competence) to be authoritative
nameservers, will give responses that look like that.
In the second case I think the NS records should be there in the
Authority Section.
Consider this case:
example.com. IN NS dns.example.com.
l2.example.com. IN NS dns.example.com.
l3.l2.example.com. IN NS dns.example.com.
When a query for example, dig l3.l2.example.com @dns.example.com, the
nameserver answser without the Authority Section, then the client
won't know the answer is in which authority zone.
While that is correct, it is also unimportant. Everything will work as expected
if the resolver never finds that out. Ditto if the resolver does discover it.
As for Kevin's assertion that the SOA record in the authority section is
required for a negative response, this is also incorrect. RFC 2308 is a
proposed standard, not a standard.
OK, I stand corrected. It's mandatory per a Proposed Standard that
hasn't had any major objections, reported flaws, or updates in years,
and is implemented in virtually every authoritative nameserver --
including load-balancers, pretending to be auth nameservers, and which
break a whole raft of other standards and/or best practices -- and resolver.
*Technically* a negative response can be given that does not conform to
RFC 2308, and no RFC Police will show up at one's doorstep wielding an
arrest warrant...
Further, section 8 of this RFC does not say explicitly that an SOA must be
included in a negative response, only that it must be cached (presumably only
if present). We might ask the author, Mark Andrews, for clarification of this
point.
Um, Section 8 talks about how resolvers deal with negative caching.
Section 3 talks about responses from authoritative servers, and that was
the subject of this thread. Section 3 is quite clear on the point:
"3 - Negative Answers from Authoritative Servers
Name servers authoritative for a zone MUST include the SOA record of
the zone in the authority section of the response when reporting an
NXDOMAIN or indicating that no data of the requested type exists."
- Kevin
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
