must authority section be populated for a NOERROR response with the AA bit set?
Jonathan de Boyne Pollard
J.deBoynePollard at Tesco.NET
Wed Nov 24 04:42:54 UTC 2004
IT> Can someone point me to the relevant RFC that covers this:
Yes.
IT> When a nameserver authoritative for foo returns a (positive)
IT> NOERROR response for foo with the authoritative bit set,
IT> is the response required to include authority records?
No. See RFC 1034 section 4.3.1 (which comprises two of the many errors
in that document, note, being wrongly indented and badly worded) and
consider the type 3 examples in RFC 2308 section 2. The inclusion of
delegation information along with the answer is merely an optimisation,
attempting to ensure that the delegation information in caching
resolving proxy DNS servers does not expire, and thus that it does not
have to be explicitly looked up again.
IT> A customer tells me that under some circumstances, a BIND 9.3.0
IT> nameserver attempting to resolve "arizona.princeton.edu" will produce
IT> the "multiple RRs of singleton type" error when confronted with the
IT> response above.
That's nothing to do with the "authority" section.
You are not the first person to be seeing multiple "CNAME" resource
records for "*.princeton.edu." domain names recently, and the problem is
not confined to users of ISC's BIND. Users of Microsoft's DNS server
are seeing this as well. Notice the TTLs of 0 seconds on the various
"CNAME" resource records that Princeton is publishing, which is foolish
and needless. I have my suspicions that both softwares follow client-side
alias chains during query resolution in the same way, and that a latent
problem in that common mechanism is being triggered by the daft 0 second
TTLs. What to do when part of the client-side alias chain, that one is
building up in a complete answer, that one has already obtained expires
as one is looking up the remainder of the complete answer is one of the
many things that one has to think hard about when writing a resolving
proxy DNS server. And it _is_ possible to get things wrong in a way
that produces the results that you and others are seeing. I don't have
the time at the moment to review the code to test my suspicions, though.
More information about the bind-users
mailing list