Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 565
    • Issues 565
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 93
    • Merge requests 93
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source ProjectsISC Open Source Projects
  • BINDBIND
  • Issues
  • #209
Closed
Open
Issue created Apr 17, 2018 by Cathy Almond@cathyaDeveloper

Glue is no longer included for non-DNSSEC-signed zones since CHANGE 4596

BIND behaviour changed in a DNSSEC-validating resolver between 9.9.10-S2 and 9.9.11-S2 with whether or not glue for NS RRsets is included in the query response from a resolver. Responses from a resolver no longer includes glue that would previously have been included in the earlier version.

This occurs when the query response is for a zone that is not DNSSEC-signed. If the zone is DNSSEC-signed (and the answer and authority sections validate), then the glue is included.

named.conf contains "minimal-responses no;"

The likelihood is that this is a result of the following CHANGE:

4596.   [bug]           Validate glue before adding it to the additional
                        section. This also fixes incorrect TTL capping
                        when the RRSIG expired earlier than the TTL.
                        [RT #45062]

There is a lot of discussion in the bug ticket about whether or not it's appropriate to include non-DNSSEC-validated RRsets in the Additional section of a query response that is marked 'AD', but it did not appear that a decision was made not to include those RRsets in the response. It seems as if this change accidentally causes the additional section to be omitted from unsigned zones.

For example:

Querying a server running 9.9.10-S2:

$ dig @127.0.0.1 +dnssec 123-reg.co.uk NS

; <<>> DiG 9.8.3-P1 <<>> @127.0.0.1 +dnssec 123-reg.co.uk NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49360
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;123-reg.co.uk.			IN	NS

;; ANSWER SECTION:
123-reg.co.uk.		3600	IN	NS	ns2.123-reg.co.uk.
123-reg.co.uk.		3600	IN	NS	ns.123-reg.co.uk.

;; ADDITIONAL SECTION:
ns.123-reg.co.uk.	172800	IN	A	212.67.202.2
ns2.123-reg.co.uk.	172800	IN	A	62.138.132.21

;; Query time: 204 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Apr 12 18:25:29 2018
;; MSG SIZE  rcvd: 109

Querying the server (with the same named.conf), but now running 9.9.11-S2:

$ dig @127.0.0.1 +dnssec 123-reg.co.uk NS

; <<>> DiG 9.8.3-P1 <<>> @127.0.0.1 +dnssec 123-reg.co.uk NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5299
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;123-reg.co.uk.			IN	NS

;; ANSWER SECTION:
123-reg.co.uk.		3600	IN	NS	ns.123-reg.co.uk.
123-reg.co.uk.		3600	IN	NS	ns2.123-reg.co.uk.

;; Query time: 179 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Apr 12 18:25:11 2018
;; MSG SIZE  rcvd: 77

I don't see the same effect when querying for a zone that is DNSSEC-signed, in both cases the additional section is included:

$ dig @127.0.0.1 +dnssec isc.org NS

; <<>> DiG 9.8.3-P1 <<>> @127.0.0.1 +dnssec isc.org NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23805
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 13

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;isc.org.			IN	NS

;; ANSWER SECTION:
isc.org.		7200	IN	NS	ns.isc.afilias-nst.info.
isc.org.		7200	IN	NS	sfba.sns-pb.isc.org.
isc.org.		7200	IN	NS	ord.sns-pb.isc.org.
isc.org.		7200	IN	NS	ams.sns-pb.isc.org.
isc.org.		7200	IN	RRSIG	NS 5 2 7200 20180509233246 20180409233246 19923 isc.org. lpHLy5TtOXoGo35vmGlyEbfBczZnbQQh581KmJsKSeWZPkAFuKZ9tVy1 dyS0AXGWF3Gk55AyEOo3wBf7qAXkgcFZTGVd0pXtvMAd8A0uhBEGuY8g LfW8JiPLPvMmVwt2niyyCB8fc9/9Bo6QMm65lH1qRsGqzBoqp8EmNz4t hLw=

;; ADDITIONAL SECTION:
ams.sns-pb.isc.org.	7197	IN	A	199.6.1.30
ord.sns-pb.isc.org.	7197	IN	A	199.6.0.30
sfba.sns-pb.isc.org.	7197	IN	A	149.20.64.3
ams.sns-pb.isc.org.	7197	IN	AAAA	2001:500:60::30
ord.sns-pb.isc.org.	7197	IN	AAAA	2001:500:71::30
sfba.sns-pb.isc.org.	7197	IN		AAAA	2001:4f8:0:2::19
ams.sns-pb.isc.org.	7197	IN	RRSIG	A 5 4 7200 20180509233246 20180409233246 19923 isc.org. tJh+AJes3F3tCe32YCuWX/oxvdAq41Aqu5pRJ3sjsxqrznJ3+eIeVjMn Nh1s7MMVVYPGps5Gg97+SwfnNZepTUsanryJNAVzO6Ss7eZazPyKFEXp scIIz5lDQybVhE18xH9SE6XNL3Ax8a9/Sd2ptqxUb+P3TsIHoZb8wvuw s08=
ams.sns-pb.isc.org.	7197	IN	RRSIG	AAAA 5 4 7200 20180509233246 20180409233246 19923 isc.org. vdZQ2BPieiDNjOIXc/8xDbITtApY8asfhTthj1c7SIBKYYqMqTsNU6ip ylXjAyv2bG34e5qaE9QcJEDBdqrl4sZsRFuFhJL7l344tKZ5lA4Iiva6 YdACLQ06HwcCN40LbISvamrgyvHeG4HDhGzY0gcDPCIJqT4IqQrj8ZHk m+M=
ord.sns-pb.isc.org.	7197	IN	RRSIG	A 5 4 7200 20180509233246 20180409233246 19923 isc.org. KWY5r1dvUA8XcSGw9VChkhlSBc0k3qRfPKUxX1MVSKWrOfOOod8AIj2S SelWLtSsvb/I78Yi3j4aPX8JAsrDIhYJ2ZWmsq7ogyV62zdL8l7mANdG cxzhLZwwYeFYlFsWlLvsuQguHw+5LHORaVJm3YwgXS61J1jpJWdd5CYD dME=
ord.sns-pb.isc.org.	7197	IN	RRSIG	AAAA 5 4 7200 20180509233246 20180409233246 19923 isc.org. Xan/9muSnSTzFdA1k4ytUT4lkJk+lLn6Ckp7TqRsFhdzT8dwIBoR1NtN sGjknwU8vQ9J9Wof3YHnfPfjZFmUnpUVFfJD1n9FeaAm/YVzVeOWjL7u Q4EnrVUF9FS77CumediqCkZw6AmzSq1oCDcoWMHDJojQZ6o+GOLftW1F JJ8=
sfba.sns-pb.isc.org.	7197	IN	RRSIG	A 5 4 7200 20180509233246 20180409233246 19923 isc.org. xcCP7sgIaYj5zSiiFVUVHRz0FUTg5Sb/baeNw2LqtMWcqrfkhYOUQRrc jZHkDgoRM4edqWisjWWmU84EoK25vi2ybH/zzi9nqhU/+JJHcVUk67su FpkFceU1/FN5vwhmzcjv8zkSD/PXUF2a4uh4xKvyC2/mVi5ucgSXp+le zZ0=
sfba.sns-pb.isc.org.	7197	IN	RRSIG	AAAA 5 4 7200 20180509233246 20180409233246 19923 isc.org. bTTiVlux7m3n4Qzil6YvNqvRwwwdnEY/aKauFrqHzLMe70TaUb1X8CT+ xnsdp917NYUBZ8apE4S3gSnUSP+cLA1H6a57vdWskIS0Zol1otisoDgW 5qVou6RCy0zhhXBDQ7bmqpGSo31lXeW3hI0ezTaXrAAMR/0UxHORZy/y j9w=

;; Query time: 3204 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Apr 12 16:59:05 2018
;; MSG SIZE  rcvd: 1436
Edited Apr 24, 2018 by Michał Kępień
Assignee
Assign to
Time tracking