Bug 253 - Copying bad behavior from Bind: NS set added to additional seciton for DNSKEY query
Copying bad behavior from Bind: NS set added to additional seciton for DNSKEY...
Status: RESOLVED FIXED
Product: NSD
Classification: Unclassified
Component: NSD Code
other
All All
: P2 normal
Assigned To: NSD team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-10 23:58 CEST by Olafur Gudmundsson
Modified: 2010-12-10 12:13 CET (History)
4 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Olafur Gudmundsson 2009-06-10 23:58:56 CEST
Bind < 9.6 in response to DNSKEY query added the NS set to the authority section. This is totally redundant and when a zone is signed this may lead to TCP queries as answers are returned truncated. 
Bind >= 9.6.0 do not do this anymore. 

Please just return what the resolver asked for 
example: 
dig @b2.org.afilias-nst.org org. dnskey +dnssec +bufsize=1500

to see the difference between bind and NSD 
dig @a0.org.afilias-nst.info. org. dnskey +dnssec | grep rcvd 
dig @a2.org.afilias-nst.info. org. dnskey +dnssec | grep rcvd 
dig @b0.org.afilias-nst.org. org. dnskey +dnssec | grep rcvd 
dig @b2.org.afilias-nst.org. org. dnskey +dnssec | grep rcvd 
dig @c0.org.afilias-nst.info. org. dnskey +dnssec | grep rcvd 
dig @d0.org.afilias-nst.org. org. dnskey +dnssec | grep rcvd 

the larger answers are from NSD. 

  thanks 

 Olafur
Comment 1 Matthijs Mekking 2009-06-15 14:25:53 CEST
Fixed and will be available in versions 3.2.3 and up.
For now, we have added a QTYPE == DNSKEY check, if more relevant QTYPEs come up we can add them to the check.
Comment 2 Anand Buddhdev 2010-07-29 15:55:27 CEST
How about a similar check for QTYPE == DS, and also returning minimal responses? It's the same principle as for DNSKEY queries.
Comment 3 Matthijs Mekking 2010-12-10 12:13:56 CET
In trunk now!