If the names of the referred nameservers are in the domain of the
referral (e.g. *.example.com nameservers referred for the example.com
delegation), then it is *mandatory* to fill in the Additional Section
with the relevant A/AAAA address records, since there is no other way
for the referral to work (chicken-and-egg problem).
In most other cases, the contents of the Additional Section are
discretionary; the responding nameserver can fill in whatever it thinks
is "useful" to the requester. For security reasons, though, the
requester would be wise to only pay attention to those records in the
Additional Section that are within the "bailiwick" of the original
question, otherwise they might accept something untrustworthy into their
cache (the whole "bailiwick" thing is confusing, but
http://www.linuxjournal.com/content/understanding-kaminskys-dns-bug
explains it fairly well).
The decision of what nameserver, among several, gets picked for
resolving iterative queries for a particular domain, is only
tangentially related to Additional Section processing, since NS records
can be fetched or seen in a variety of ways, and they are (as Chris
responded) selected via an adaptive algorithm based on SRTT (smoothed
round-trip time). Even that, however, has been proven to be somewhat
susceptible to attack:
http://securityintelligence.com/subverting-binds-srtt-algorithm-derandomizing-ns-selection/
in order to steer traffic to particular nameservers, for purposes,
presumably, of DoS or to magnify the effect of a subset of nameservers
having been compromised.
- Kevin
On 1/19/2014 10:30 PM, houguanghua wrote:
Dear all,
Would you please tell me which RFC depicts the policy of 'additional
section'? and how bind server deals with 'additional section'?
Sometimes the number of 'additional section' is more than numbe of
'authority section'. I don't know how local bind server will do when
receiving these additional sections.
Local Bind server may:
-- pick one name server randomly
-- or use sophisticated policies that "score" name servers and pick
more often the ones that replied faster
Which is right?
Thanks!
Guanghua
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
