Ignoring out-of-zone RRs in additional section
jw354 at cornell.edu
Fri Jul 13 15:57:24 UTC 2007
When BIND9 performs queries, e.g. to recurse, it ignores
any A record for a nameserver appearing in the additional section if
that nameserver name is not within the zone being queried.
BIND9 will not follow such a delegation unless there is
an authoritative A record for such a nameserver.
This is a measure against cache poisoning.
What versions of BIND8 and 9 first adopted this behavior?
Dates when this was introduced?
What RFC, ietf draft, or other good-practices document
recommends this behavior?
Anyone know whether the Microsoft DNS server follows
(Bernstein's document mentions that BIND adopted this
measure in 1997, but I've found nothing more specific.
RFC1034, rather old, appears to me to authorize the
behavior but not to go so far as to recommend it.)
(Who is tired of answering queries about this behavior
while not knowing any references regarding it other
than an occasional message on the bind list.)
More information about the bind-users