Bugzilla – Bug 253
Copying bad behavior from Bind: NS set added to additional seciton for DNSKEY query
Last modified: 2010-12-10 12:13:56 CET
Bind < 9.6 in response to DNSKEY query added the NS set to the authority section. This is totally redundant and when a zone is signed this may lead to TCP queries as answers are returned truncated.
Bind >= 9.6.0 do not do this anymore.
Please just return what the resolver asked for
dig @b2.org.afilias-nst.org org. dnskey +dnssec +bufsize=1500
to see the difference between bind and NSD
dig @a0.org.afilias-nst.info. org. dnskey +dnssec | grep rcvd
dig @a2.org.afilias-nst.info. org. dnskey +dnssec | grep rcvd
dig @b0.org.afilias-nst.org. org. dnskey +dnssec | grep rcvd
dig @b2.org.afilias-nst.org. org. dnskey +dnssec | grep rcvd
dig @c0.org.afilias-nst.info. org. dnskey +dnssec | grep rcvd
dig @d0.org.afilias-nst.org. org. dnskey +dnssec | grep rcvd
the larger answers are from NSD.
Fixed and will be available in versions 3.2.3 and up.
For now, we have added a QTYPE == DNSKEY check, if more relevant QTYPEs come up we can add them to the check.
How about a similar check for QTYPE == DS, and also returning minimal responses? It's the same principle as for DNSKEY queries.
In trunk now!