DNS reply ADDITIONAL SECTION data with MX lookup ?
lamont at security.hp.com
Wed Jun 21 18:45:50 UTC 2000
> Yes, but then you shouldn't really be trusting glue records from
> the parent (delegating) zone, should you?
> I mean, you have to have them in order to break the Catch-22, but
> it is my understanding that you should treat them as untrusted and
> re-verify them from the authoritative nameservers (if you really care
> about that sort of thing).
IIRC, the local named gets the answer from the root servers and caches
the addt'l info. It then makes the bold leap of logic that says that
the peer returned all of the A RR's, or none of them, AA or not.
Accordingly, it doesn't reconfirm them. Local daemons just get back
the result of their query of the (non-auth) local named, and assume
that they got all of the A RR's.
99.44% of the time, the answer is correct and useable, even though it's
just glue. I'm not sure that solving it (querying one of the NS RR's
one more time just to get AA data) isn't a worse situation...
The good news is that if you're caching addt'l info from an MX RR query,
then you had to hit an authoritative nameserver, which means that they
are quite likely to have all of the correct A RR's from authoritative
nameservers for the MX RR's in their zone (unless they hold glue for a
subdomain that is delegated with partial glue, which also holds one of
their MX hosts.)
More information about the bind-workers