[nsd-users] NSD 4.0.1: referral from parent instead of SERVFAIL

W.C.A. Wijngaards wouter at nlnetlabs.nl
Thu Jan 30 13:57:25 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Anand, Peter,

On 01/28/2014 06:12 PM, Peter Koch wrote:
> On Tue, Jan 28, 2014 at 05:30:25PM +0100, Anand Buddhdev wrote:
> 
>> ;; AUTHORITY SECTION: 14.109.in-addr.arpa.	172800	IN	NS
>> ns.ripe.net. 14.109.in-addr.arpa.	172800	IN	NS
>> nsrev00.dns.sfr.net. 14.109.in-addr.arpa.	172800	IN	NS
>> nsrev01.dns.sfr.net.
>> 
>> Why doesn't NSD do a closest match and return SERVFAIL?

It does a code-particularity, and this is why it attempts to return
this data.  In a different expired case it might have given servfail.

It has now been fixed to behave like Bind, Knot: it returns SERVFAIL,
even if there is a parent zone.

> in this case, ns.ripe.net does not know about the zone, but the 
> other two servers respond authoritatively.  That means a resolver 
> starting at "ns.ripe.net" can recover only by using another one of
> 109.in-addr.arpa's servers, whereas the NSD behaviour would make
> possible a recovery one level below.  Not saying it is _the_ way to
> go, but it makes a lot of sense to me.  And then there's DNSSEC, 
> suggesting to be extra careful with child/grandchild zone
> interaction.

Yes, it could be useful, but would take different action to make that
work all of the time.  I can certainly implement it, the question is
what is right.  Right now, I'll do what the other two do for
compatibility.

Best regards,
   Wouter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJS6lpFAAoJEJ9vHC1+BF+NHgUP/2YgKyPgj5/LgztHUIOAqifp
5mLuKEcpVj7rbp7CU+3CkEDHaGmnKBAAKWIaypY3ioR7MvCz3RGHSXRxqivVv05d
R3yHcJJd3VwSrrnVoLFqE1JYhthVh1rHl6dvY53GOBU2gGoNV+IteCbN5jO7S0Hy
DBCbSg4QeouEtLhggoQ+dmFF6KRZOyfAGHoIX/C7IEMlj2g+G3oRGjMbyzgEE+qV
HQQBP9/iGARt3HxEg3hB9Riy3uXmAr5HyTY0bkDSGVwo/ik0pV+pfancd8m/nlBF
7+mU1W4WCC2Y9dNxjuUiJjbCO6aBJ1oNoy86CshJQndvx/47Fmv8TrloDBzT36uO
FyUSU7zsu5dB4fRgoQyzHDrsUL98lqpEo750OB+21ktQt/RPNCexVJFOOC2RcKQr
AWa+mQpqCpPKmuW8cZR9eiaYmHfquQMg3fTxd36AcdRxwreuZwty3MldPDePu3j3
hlz9M6FhE9a0Ijd3tVuZQVVsMYIFCWzePVDfJXWtVoFM98RP7/rA7/jsjShuBS+w
E2H2pEH8/Wiq3OjVX/fFt4wsxswU9jfTx7yIKCijAZ9Q/f+O5LPVKxoiWaguCWgs
pDL3HlrbjJCsUBX0RfOrzY+J+k8l/muxM7CgykGBABiDQdUmqL3BqdCCGy8u2VhG
BGjEmLmCj16cCDxGE2X0
=whWw
-----END PGP SIGNATURE-----

More information about the nsd-users mailing list