Hello DNS experts, I am seeking opinion about an aspect of AXFR. Let's start with what BIND does. When configured as a slave, and receiving an AXFR, if there are out-of-zone records in the zone, BIND excludes them from its in-memory copy of the zone. However it *does* save the entire zone to disk, including the bad records. When a downstream slave asks this instance of BIND for an AXFR, it provides the complete zone, including the bad records.
Now I'm looking at Knot DNS 1.3.0-rc5. When it receives an AXFR with out-of-zone records, it discards them, completely. So when it saves the zone to the disk, the out-of-zone records are not saved, and if a client asks this instance of Knot for an AXFR for this zone, the client will receive Knot's sanitised copy of the zone. I can see the positive and negative sides to both approaches, and since RFC 5936 (AXFR) does not say anything specific about how to treat bad records in a zone, both BIND and Knot are doing what they think is right. BIND is trying to pass on the zone unchanged, but will of course not serve any out-of-zone records. Knot will not serve out-of-zone records, but will not pass them on either. What do you all think is the correct behaviour? Or are both correct? PS. I realise that Knot's behaviour could break a DNSSEC-signed zone, but then, no sane signer will sign a zone with out-of-zone records, so that the process of signing a zone would force the operator to clean up their zone. Regards, Anand Buddhdev RIPE NCC _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
