On 10/05/16 19:48, John Bond wrote:
Hi John,
> What i wanted to ask is how does the name server decided what parts of
> the additional section is removed? For instance if the query came in
> over IPv6 would nsd attempt to add AAAA glue before A glue. If the zone
> is signed will it attempt to only add glue if it can also add the rrsig
> record?
I can't answer this as I don't know the code, but the NSD developers
should be able to.
However, the idea of preferring glue based on the query's address family
has been added to BIND recently. Look at the 9.10.4 release notes.
However, I don't think NSD pays attention to the query's address family
when deciding which glue to add.
> Finally i thought that you would have to include at lease on glue record
> in the additional section otherwise a resolution is not possible.
> However nsd will answer with an empty additional section even if all
> labels in the NS set are in zone. Is this an error or have i missed
> something?
>
> I have set up an example.com zone on one of my server's to demonstrate
> this. The following query produces no glue records in the additional
> section.
>
> dig ns example.com. @5.28.62.36 +bufsize=1440 +norec
Right, so here, NSD isn't providing any glue. However... the recursor
already has at least one address that it knows answers for example.com
(because the response had AA), and this address is 5.28.62.36. So the
recursor should be able to follow up with A and AAAA queries to
5.28.62.36 for all those NS records it got in the answer.
However, if the response from 5.28.62.36 had not been an authoritative
answer, but rather a delegation, then missing glue would make resolution
fail. NSD should recognise this, and set the TC bit in the response to
encourage the client to come back over TCP.
Regards,
Anand