BIND 9 seems to be hiding necessary glue at the apex

Mark Andrews marka at isc.org
Thu May 28 03:54:29 UTC 2015 

In message <20150527153425.521d73e0 at casual>, Shane Kerr writes:
> All,
> 
> Over at the Yeti DNS project we are configuring replacement root
> servers. http://yeti-dns.org/
> 
> We discovered that BIND 9 does not seem to be responding properly.

Actually it responds correctly.  There is no requirement for a NS
query to return the addresses of the nameservers.  This includes
the root zone.  The only time when address records are required is
when you are returning a referral and the names of the nameservers
are below the current zone.

> Here is part of a write-up about the issue:
> 
> ------------------------------------------------------------------------
> 
> Desired Response
> ----------------
> When a resolver is priming, it does a query to one of the root server
> addresses that it knows about. This is described in this IETF draft:
> 
> https://tools.ietf.org/html/draft-ietf-dnsop-resolver-priming
> 
> You can create a query that looks like this with the "dig" command:
> 
> $ dig @a.root-servers.net -t ns +norecurse +edns +nodnssec .
> 
> The "@a.root-servers.net" can be replaced with any name or address
> that serves the root zone, for example "@bii.dns-lab.net". 
> 
> The response contains the _names_ of the root servers in the answer
> section:
> 
> .			518400	IN	NS	a.root-servers.net.
> .			518400	IN	NS	b.root-servers.net.
>   ...
> .			518400	IN	NS	m.root-servers.net.
> 
> This is the list of name servers that carries the root zone.
> 
> The response carries the _addresses_ of the root servers in the
> additional section:
> 
> a.root-servers.net.	518400	IN	A	198.41.0.4
> b.root-servers.net.	518400	IN	A	192.228.79.201
>   ...
> m.root-servers.net.	518400	IN	AAAA	2001:dc3::35
> 
> The additional section data is what the resolvers need to actually
> perfrom recursion.

Actually they don't.  They can go back to the sbelt and request the
addresses records.  A RFC 1035 compliant recursive server will do
this.

> Serving the Additional Section
> ------------------------------
> Root zone file has:
> 
> net.                    172800  IN      NS      a.gtld-servers.net.
>   ...
> a.gtld-servers.net.     172800  IN      AAAA    2001:503:a83e::2:30
>   ...
> 
> Because there are glue records for the "net" domain, BIND 9 will not
> return the "a.root-servers.net" addresses in the additional section.
> 
> In the general case, being able to get to "net" authority servers is
> enough to eventually get to "a.root-servers.net" so the IP addresses
> configured in the root zone are not necessary glue.
> 
> In the case of root priming, however, we *do* want to see the
> addresses for the "root-servers.net" servers. It is not technically
> necessary, but resolvers expect this information.
> 
> The solution to this is to make the root servers answer for the
> "root-servers.net" zone, as a sort of special case. When BIND 9 is
> configured this way, it will add in glue to responses to the priming
> query.
> 
> Note that NSD does not need to be configured for the
> "root-servers.net" zone, and happily returns glue in the additional
> section, whether configured for the "root-servers.net" zone or not.

NSD incorrectly promotes glue to answer.  They have been informed
of this bug in the past.  Additional records added to a NS query
to a zone's servers are answers not glue.

> ------------------------------------------------------------------------
> 
> 
> We would like to avoid the case where the root servers have to be
> authoritative for "root-servers.net" in order to return the proper
> glue. (We are planning on having root servers that fall under different
> domains, and do not want to have the root servers authoritative for all
> of them.)
> 
> 
> Paul Vixie pointed out that this is actually not just a root problem in
> particular, but probably affects any zone where the apex NS contains
> names that have been delegated.

Nope.  You just go to the parent server and get a new referral.  In
the root zones case this is going to the sbelt data.

> I am not sure, but I think this is an artifact of how the rbtdb works
> now. I can poke around in the code to try to get it to return glue in
> this case, but I'd like to discuss it with the BIND 9 team to see if
> this is going to get rejected out of hand before I spend a day or two
> trying to jawbone the code into submission. (Even better if someone
> could just say "oh yeah here's the one line fix for this".) ;)
> 
> 
> So... would a change to include glue for apex NS names that have been
> delegated likely be accepted or not? We're pretty sure this would be the
> correct behavior, although of course I am always willing to be
> convinced otherwise.
> 
> Cheers,
> 
> --
> Shane
> _______________________________________________
> bind-workers mailing list
> bind-workers at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-workers
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-workers mailing list