copying the question section
paul at vix.com
Sun Aug 4 02:05:59 UTC 2002
> I beg to differ. All versions of BIND 9 treats an empty question
> section in a response as an error - see the following code in
> same_question() in lib/dns/resolver.c:
> if (message->counts[DNS_SECTION_QUESTION] != 1)
> return (DNS_R_FORMERR);
I see that this is correct according to [RFC1035 7.3]. When I tried to
implement this in 4.9.* or so, I got endless complaints about it.
| The next step is to match the response to a current resolver request.
| The recommended strategy is to do a preliminary matching using the ID
| field in the domain header, and then to verify that the question section
| corresponds to the information currently desired. [...]
> > some non-bind servers have been sending back empty question sections
> > for years now and it's been seen to cause no trouble.
> Which ones would that be? If such servers were actually deployed, I
> would expect BIND 9 users to have reported it.
I never tracked down who the bad dogs were, I just removed the requirement.
However, if BIND9 hasn't gotten complaints about it, then times have changed,
and we can forget about the whole thing. One note... let's not implement
[RFC1035 7.3] in its entirety:
| - Some name servers send their responses from different
| addresses than the one used to receive the query. That is, a
| resolver cannot rely that a response will come from the same
| address which it sent the corresponding query to. This name
| server bug is typically encountered in UNIX systems.
libresolv, libbind, and bind8 have required that the response source be the
same as the query destination since about the BIND KJB/4.9 era, and there's
no reason to relax now. (SunOS 4.1.3 was the culprit, and is long dead.)
More information about the bind-workers