Re: additional section policy

[Kevin Darcy]

If the names of the referred nameservers are in the domain of the 
referral (e.g. *.example.com nameservers referred for the example.com 
delegation), then it is *mandatory* to fill in the Additional Section 
with the relevant A/ address records, since there is no other way 
for the referral to work (chicken-and-egg problem).


In most other cases, the contents of the Additional Section are 
discretionary; the responding nameserver can fill in whatever it thinks 
is "useful" to the requester. For security reasons, though, the 
requester would be wise to only pay attention to those records in the 
Additional Section that are within the "bailiwick" of the original 
question, otherwise they might accept something untrustworthy into their 
cache (the whole "bailiwick" thing is confusing, but 
http://www.linuxjournal.com/content/understanding-kaminskys-dns-bug 
explains it fairly well).


The decision of what nameserver, among several, gets picked for 
resolving iterative queries for a particular domain, is only 
tangentially related to Additional Section processing, since NS records 
can be fetched or seen in a variety of ways, and they are (as Chris 
responded) selected via an adaptive algorithm based on SRTT (smoothed 
round-trip time). Even that, however, has been proven to be somewhat 
susceptible to attack:


http://securityintelligence.com/subverting-binds-srtt-algorithm-derandomizing-ns-selection/

in order to steer traffic to particular nameservers, for purposes, 
presumably, of DoS or to magnify the effect of a subset of nameservers 
having been compromised.


- Kevin

On 1/19/2014 10:30 PM, houguanghua wrote:

Dear all,

Would you please tell me which RFC depicts the policy of 'additional 
section'? and how bind server deals with 'additional section'?


Sometimes the number of 'additional section' is more than numbe of 
 'authority section'. I don't know how local bind server will do when 
receiving  these additional sections.

Local Bind server may:
   -- pick one name server randomly
   -- or use sophisticated policies that "score" name servers and pick 
more often the ones that replied faster


Which is right?

Thanks!
Guanghua


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: additional section policy

[Chris Buxton]

On Jan 19, 2014, at 7:30 PM, houguanghua  wrote:
> Would you please tell me which RFC depicts the policy of 'additional 
> section'? and how bind server deals with 'additional section'? 
>  
> Sometimes the number of 'additional section' is more than numbe of  
> 'authority section'. I don't know how local bind server will do when 
> receiving  these additional sections. 
> Local Bind server may:
>-- pick one name server randomly
>-- or use sophisticated policies that "score" name servers and pick more 
> often the ones that replied faster
> 
> Which is right?

The additional section is filled in by the responding name server with whatever 
records it feels would help the querier in the near future. This could be, for 
example, the addresses of name servers listed in NS records. It appears you’re 
asking about specifically this case. This behavior is described in RFC 1034 or 
1035, I believe.

As for responding to this data by following up on a referral and asking a 
listed name server, the BIND name server uses the RTT (round trip time) 
algorithm. Basically, it tries to guess which remote server would respond 
fastest and queries that server.

Regards,
Chris Buxton

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

additional section policy

[houguanghua]

Dear all,
 
Would you please tell me which RFC depicts the policy of 'additional section'? 
and how bind server deals with 'additional section'? 
 
Sometimes the number of 'additional section' is more than numbe of  'authority 
section'. I don't know how local bind server will do when receiving  these 
additional sections. 
Local Bind server may:
   --
pick one name server randomly
   -- or use sophisticated policies that "score" name servers and pick more 
often the ones that replied faster


Which is right?
 
Thanks!
Guanghua
  ___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users