Glue is no longer included for non-DNSSEC-signed zones since CHANGE 4596
BIND behaviour changed in a DNSSEC-validating resolver between 9.9.10-S2 and 9.9.11-S2 with whether or not glue for NS RRsets is included in the query response from a resolver. Responses from a resolver no longer includes glue that would previously have been included in the earlier version.
This occurs when the query response is for a zone that is not DNSSEC-signed. If the zone is DNSSEC-signed (and the answer and authority sections validate), then the glue is included.
named.conf contains "minimal-responses no;"
The likelihood is that this is a result of the following CHANGE:
4596. [bug] Validate glue before adding it to the additional
section. This also fixes incorrect TTL capping
when the RRSIG expired earlier than the TTL.
[RT #45062]There is a lot of discussion in the bug ticket about whether or not it's appropriate to include non-DNSSEC-validated RRsets in the Additional section of a query response that is marked 'AD', but it did not appear that a decision was made not to include those RRsets in the response. It seems as if this change accidentally causes the additional section to be omitted from unsigned zones.
For example:
Querying a server running 9.9.10-S2:
$ dig @127.0.0.1 +dnssec 123-reg.co.uk NS
; <<>> DiG 9.8.3-P1 <<>> @127.0.0.1 +dnssec 123-reg.co.uk NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49360
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;123-reg.co.uk. IN NS
;; ANSWER SECTION:
123-reg.co.uk. 3600 IN NS ns2.123-reg.co.uk.
123-reg.co.uk. 3600 IN NS ns.123-reg.co.uk.
;; ADDITIONAL SECTION:
ns.123-reg.co.uk. 172800 IN A 212.67.202.2
ns2.123-reg.co.uk. 172800 IN A 62.138.132.21
;; Query time: 204 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Apr 12 18:25:29 2018
;; MSG SIZE rcvd: 109Querying the server (with the same named.conf), but now running 9.9.11-S2:
$ dig @127.0.0.1 +dnssec 123-reg.co.uk NS
; <<>> DiG 9.8.3-P1 <<>> @127.0.0.1 +dnssec 123-reg.co.uk NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5299
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;123-reg.co.uk. IN NS
;; ANSWER SECTION:
123-reg.co.uk. 3600 IN NS ns.123-reg.co.uk.
123-reg.co.uk. 3600 IN NS ns2.123-reg.co.uk.
;; Query time: 179 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Apr 12 18:25:11 2018
;; MSG SIZE rcvd: 77I don't see the same effect when querying for a zone that is DNSSEC-signed, in both cases the additional section is included:
$ dig @127.0.0.1 +dnssec isc.org NS
; <<>> DiG 9.8.3-P1 <<>> @127.0.0.1 +dnssec isc.org NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23805
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 13
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;isc.org. IN NS
;; ANSWER SECTION:
isc.org. 7200 IN NS ns.isc.afilias-nst.info.
isc.org. 7200 IN NS sfba.sns-pb.isc.org.
isc.org. 7200 IN NS ord.sns-pb.isc.org.
isc.org. 7200 IN NS ams.sns-pb.isc.org.
isc.org. 7200 IN RRSIG NS 5 2 7200 20180509233246 20180409233246 19923 isc.org. lpHLy5TtOXoGo35vmGlyEbfBczZnbQQh581KmJsKSeWZPkAFuKZ9tVy1 dyS0AXGWF3Gk55AyEOo3wBf7qAXkgcFZTGVd0pXtvMAd8A0uhBEGuY8g LfW8JiPLPvMmVwt2niyyCB8fc9/9Bo6QMm65lH1qRsGqzBoqp8EmNz4t hLw=
;; ADDITIONAL SECTION:
ams.sns-pb.isc.org. 7197 IN A 199.6.1.30
ord.sns-pb.isc.org. 7197 IN A 199.6.0.30
sfba.sns-pb.isc.org. 7197 IN A 149.20.64.3
ams.sns-pb.isc.org. 7197 IN AAAA 2001:500:60::30
ord.sns-pb.isc.org. 7197 IN AAAA 2001:500:71::30
sfba.sns-pb.isc.org. 7197 IN AAAA 2001:4f8:0:2::19
ams.sns-pb.isc.org. 7197 IN RRSIG A 5 4 7200 20180509233246 20180409233246 19923 isc.org. tJh+AJes3F3tCe32YCuWX/oxvdAq41Aqu5pRJ3sjsxqrznJ3+eIeVjMn Nh1s7MMVVYPGps5Gg97+SwfnNZepTUsanryJNAVzO6Ss7eZazPyKFEXp scIIz5lDQybVhE18xH9SE6XNL3Ax8a9/Sd2ptqxUb+P3TsIHoZb8wvuw s08=
ams.sns-pb.isc.org. 7197 IN RRSIG AAAA 5 4 7200 20180509233246 20180409233246 19923 isc.org. vdZQ2BPieiDNjOIXc/8xDbITtApY8asfhTthj1c7SIBKYYqMqTsNU6ip ylXjAyv2bG34e5qaE9QcJEDBdqrl4sZsRFuFhJL7l344tKZ5lA4Iiva6 YdACLQ06HwcCN40LbISvamrgyvHeG4HDhGzY0gcDPCIJqT4IqQrj8ZHk m+M=
ord.sns-pb.isc.org. 7197 IN RRSIG A 5 4 7200 20180509233246 20180409233246 19923 isc.org. KWY5r1dvUA8XcSGw9VChkhlSBc0k3qRfPKUxX1MVSKWrOfOOod8AIj2S SelWLtSsvb/I78Yi3j4aPX8JAsrDIhYJ2ZWmsq7ogyV62zdL8l7mANdG cxzhLZwwYeFYlFsWlLvsuQguHw+5LHORaVJm3YwgXS61J1jpJWdd5CYD dME=
ord.sns-pb.isc.org. 7197 IN RRSIG AAAA 5 4 7200 20180509233246 20180409233246 19923 isc.org. Xan/9muSnSTzFdA1k4ytUT4lkJk+lLn6Ckp7TqRsFhdzT8dwIBoR1NtN sGjknwU8vQ9J9Wof3YHnfPfjZFmUnpUVFfJD1n9FeaAm/YVzVeOWjL7u Q4EnrVUF9FS77CumediqCkZw6AmzSq1oCDcoWMHDJojQZ6o+GOLftW1F JJ8=
sfba.sns-pb.isc.org. 7197 IN RRSIG A 5 4 7200 20180509233246 20180409233246 19923 isc.org. xcCP7sgIaYj5zSiiFVUVHRz0FUTg5Sb/baeNw2LqtMWcqrfkhYOUQRrc jZHkDgoRM4edqWisjWWmU84EoK25vi2ybH/zzi9nqhU/+JJHcVUk67su FpkFceU1/FN5vwhmzcjv8zkSD/PXUF2a4uh4xKvyC2/mVi5ucgSXp+le zZ0=
sfba.sns-pb.isc.org. 7197 IN RRSIG AAAA 5 4 7200 20180509233246 20180409233246 19923 isc.org. bTTiVlux7m3n4Qzil6YvNqvRwwwdnEY/aKauFrqHzLMe70TaUb1X8CT+ xnsdp917NYUBZ8apE4S3gSnUSP+cLA1H6a57vdWskIS0Zol1otisoDgW 5qVou6RCy0zhhXBDQ7bmqpGSo31lXeW3hI0ezTaXrAAMR/0UxHORZy/y j9w=
;; Query time: 3204 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Apr 12 16:59:05 2018
;; MSG SIZE rcvd: 1436