must authority section be populated for a NOERROR response with the AA bit set?
kcd at daimlerchrysler.com
Thu Nov 18 23:23:29 UTC 2004
Irwin Tillman wrote:
>Can someone point me to the relevant RFC that covers this:
>When a nameserver authoritative for foo returns a (positive)
>NOERROR response for foo with the authoritative bit set,
>is the response required to include authority records?
>While the response typically does have authority records in this case,
>there's an application (lbnamed) that does not do so. Here's an example:
> % dig @hermes.princeton.edu arizona.princeton.edu.
> ; <<>> DiG 9.3.0 <<>> @hermes.princeton.edu arizona.princeton.edu.
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUESTION SECTION:
> ;arizona.princeton.edu. IN A
> ;; ANSWER SECTION:
> arizona.princeton.edu. 0 IN CNAME phoenix.Princeton.EDU.
> phoenix.Princeton.EDU. 3600 IN A 126.96.36.199
> ;; Query time: 2 msec
> ;; SERVER: 188.8.131.52#53(hermes.princeton.edu)
> ;; WHEN: Thu Nov 18 13:59:32 2004
> ;; MSG SIZE rcvd: 111
>A customer tells me that under some circumstances, a BIND 9.3.0 nameserver
>attempting to resolve "arizona.princeton.edu" will produce the
>"multiple RRs of singleton type" error when confronted with the
>response above. (I've not been able to reproduce the failure
>here, but it may require the BIND nameserver to be configured in some
>I can't find a spot in the relevant RFCs that require the authority section
>to be populated in the response above. Does anyone know if the RFCs
>say so (and if so, where?).
A regular answer (i.e. NOERROR with RRs in the answer section) does not
require a populated Authority Section, but may require RRs in the
Additional Section if the RRs in the Answer Section cause Additional
Section processing. Many of the AA=1 response examples in Section 6.2 of
RFC 1034 have an empty Authority Section, so it must be legal.
But, I'm not sure what this has to do with a "multiple RRs of singleton
type" error. That error will be triggered regardless of whether the
offending RRs appear in the Answer Section or the Authority Section.
The response you show above doesn't have "multiple RRs of singleton
type" (e.g. two CNAMEs or SOAs with the same owner name), by the way,
and no configuration of BIND on the receiving side would make it think
that it does.
I'd recommend getting the customer to reproduce the problem and
capturing packets to see what response their nameserver is actually seeing.
More information about the bind-users