trying tor respond to help for NAPTR entries

Sam Trenholme strenholme.usenet at gmail.com
Fri May 14 09:48:46 EDT 2010 

David asked us:

>> I added some entries in my zone file and tried with dig (below is the result). I noticed that there was no "additional records" section in the response (checked with wireshark). This bring another question to mind: Is there a way to turn ON/OFF additional records fields? <<

In MaraDNS, a DNS reply has an authority and additional section with
NS records and their IPs only when the record is in its own zone.  In
other words, if you have a record that ends in “example.com”, for it
to have NS and AR records, it has to be in the zone for example com.
For example, if we have this in a mararc file:

csv2["example.org."] = "db.example.com"

and this for db.example.com:

www.example.com. A 10.2.3.4

We won’t get NS and AR records.  However, if we keep db.example.com
the same and have this in our mararc file:

csv2["example.com."] = "db.example.com"

We will get NS and AR records.

As an aside, the only time MaraDNS and Deadwood actually NS and AR
records is when a DNS query doesn’t answer our question.  When this
happens, MaraDNS and Deadwood convert the DNS NS referral in to a list
of IPs for all of the records in the NS section with corresponding IPs
in the AR section, and a list of glueless NS referrals for records
without IP glue in the AR section.

It’s actually best for a recursive DNS server to use the NS and AR
section as little as possible; it helps protect the server against
attacks like the Kaminsky DNS attack.  Indeed, MaraDNS has been acting
this way since 2001, long before Kaminsky came on to the scene.

- Sam

Note: I do not answer MaraDNS (including Deadwood) support requests
sent by private email without being compensated for my time. A MaraDNS
support request is any and all discussion you may wish to have about
MaraDNS in private email; if you want to email me to talk about
MaraDNS then, yes, that is a support request. I will discuss rates if
you want this kind of support. Thank you for your understanding.

MaraDNS security vulnerability reports, however, will be dealt with
without charge and kept confidential. If you don't know what Bugtraq
is, then, no, your email is not a security report. It is not a
security report unless you've done due diligence to determine how the
security bug you think you found can reasonably be exploited.

More information about the list mailing list