Suboptimal behavior from nsd

Roy Arends roy at logmess.com
Thu Jan 15 11:01:57 UTC 2004


On Thu, 15 Jan 2004, Miek Gieben wrote:

> [On 15 Jan, @05:31, Roy wrote in "Re: Suboptimal behavior from n ..."]
> > > >>| enst.fr.                345600  IN      NS      phoenix.uneec.eurocontrol.fr.
> > > >>|
> > > >>| ;; ADDITIONAL SECTION:
> > > >>| minos.enst.fr.          345600  IN      A       137.194.2.34
> > > >>| enst.enst.fr.           345600  IN      A       137.194.2.16
> > > >>| infres.enst.fr.         345600  IN      A       137.194.160.3
> > > >>| phoenix.uneec.eurocontrol.fr. 345600 IN A       147.196.69.1
> > > >
> > > >
> > > > I'm slightly puzzled on why this last A record is added, it should
> > > > be considered out of zone, but somehow NSD will add it.
> > >
> > > Because all these A records appear as glue in the .fr zone.  So the
> > > answer is constructed using data from a single zone, as are all answers
> > > from NSD (by design).
> >
> > Ah, are you going to change that design ? Since all records did _not_ came
>
> I guess not. The inclusion of that 'phoenix' host is due to the fact that it is
> glue in the .fr zone (for some other zone).

Non sequitur.

> From a purity standpoint that host should not have been added in the
> additional section.

s/purity/security/

> I don't think fixing this is trivial in the current
> NSD design (current: 1.2.X and 2.X.X).

But is it going to be fixed ?

> > from a single zone. This design is not spoof-proof.
>
> a well implemented cache should see that and not cache that information. It
> sounds a bit strange in my ears to talk about spoof-proofing NSD while
> NSD has no cache...

....

Relying on a well implemented cache is a wee bit naive. It think both the
spoofer and the spoofee carry some responsibility for spoof-proofness.

Roy



More information about the nsd-users mailing list