Coredns: NSset on all authoritative responses

Created on 24 Sep 2019  路  6Comments  路  Source: coredns/coredns

Coredns is always responding with all NS records in the authoritative session, it's the first time that I'm seeing such behaviour on a DNS server, this change was introduced by #455 .

Is this the expected behaviour or a side effect?

$ cat Corefile

example.org {
    log
    file example.org
}

$ cat example.org

$ORIGIN example.org.
example.org. 3600 IN A 14.14.14.14
example.org. 3600 IN NS ns1.example.org.
example.org. 1800 IN SOA pns.example.org. hostmaster.example.org. 2019092101 15 180 1209600 1800



md5-b9e0857dd80f44befb4578ccda432112



$ dig @localhost example.org.

; <<>> DiG 9.10.6 <<>> @localhost example.org.
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11280
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.org.                   IN      A

;; ANSWER SECTION:
example.org.            3600    IN      A       14.14.14.14

;; AUTHORITY SECTION:
example.org.            3600    IN      NS      ns1.example.org.

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Tue Sep 24 18:58:41 CEST 2019
;; MSG SIZE  rcvd: 107

Thank you

dns question
Source
picture fredericosilva

Most helpful comment

[ Quoting notifications@github.com in "Re: [coredns/coredns] NSset on all ..." ]

DNS is one of the core and fundamental services of internet as we know it.

It's extremely interesting that such critical service, on which most internet users relay to use internet, doesn't have generic or well known DNS conformance tests.

ahha, yes. LOL. Uh, the specification isn't even 100% understood. IIRC there are
20K PAGES of RFC text on how a DNS server should work. DNS wildcards (a feature
right there at the launch of DNS) was finally properly understood in RFC 4592
(https://tools.ietf.org/html/rfc4592) written in 2006. 20+ years after DNS
gained that feature.

@miekg Do you know of any initiatives to rectify this or maybe dns development community doesn't see a need for such tests ?

There has been efforts, but they stalled. Also because the spec is ambigous and
large it's impossible to even define such a thing in the first place.

picture miekg on 25 Sep 2019
😄3

All 6 comments

~~~
% dig a.miek.nl @ns-ext.nlnetlabs.nl
; <<>> DiG 9.11.5-P4-5.1-Debian <<>> a.miek.nl @ns-ext.nlnetlabs.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52626
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;a.miek.nl. IN A

;; ANSWER SECTION:
a.miek.nl. 900 IN A 176.58.119.54

;; AUTHORITY SECTION:
miek.nl. 900 IN NS linode.atoom.net.
miek.nl. 900 IN NS ns-ext.nlnetlabs.nl.
miek.nl. 900 IN NS omval.tednet.nl.
miek.nl. 900 IN NS ext.ns.whyscream.net.

;; Query time: 15 msec
;; SERVER: 185.49.140.62#53(185.49.140.62)
;; WHEN: Tue Sep 24 20:29:28 BST 2019
;; MSG SIZE rcvd: 173
~~~
which is running NSD

miekg picture miekg on 24 Sep 2019

It seems that BIND also behaves the same way, I was mistaken.

This issue was raised while trying to use adapted pdns regression tests to test a coredns plugin.

Do you recommend any framework for dns testing?

fredericosilva picture fredericosilva on 25 Sep 2019

[ Quoting notifications@github.com in "Re: [coredns/coredns] NSset on all ..." ]

It seems that BIND also behaves the same way, I was mistaken.

This issue was raised while trying to use adapted pdns regression tests to test a coredns plugin.

Do you recommend any framework for dns testing?

sadly there is no, pdns' framework comes closed. Once up on a time I looked at
adapting it for our use, but that required a lot of work.

There is no generic DNS conformance test you can run to see if your
implementation conforms to the spec.

miekg picture miekg on 25 Sep 2019

DNS is one of the core and fundamental services of internet as we know it.

It's extremely interesting that such critical service, on which most internet users relay to use internet, doesn't have generic or well known DNS conformance tests.

@miekg Do you know of any initiatives to rectify this or maybe dns development community doesn't see a need for such tests ?

gregorybrzeski picture gregorybrzeski on 25 Sep 2019

[ Quoting notifications@github.com in "Re: [coredns/coredns] NSset on all ..." ]

DNS is one of the core and fundamental services of internet as we know it.

It's extremely interesting that such critical service, on which most internet users relay to use internet, doesn't have generic or well known DNS conformance tests.

ahha, yes. LOL. Uh, the specification isn't even 100% understood. IIRC there are
20K PAGES of RFC text on how a DNS server should work. DNS wildcards (a feature
right there at the launch of DNS) was finally properly understood in RFC 4592
(https://tools.ietf.org/html/rfc4592) written in 2006. 20+ years after DNS
gained that feature.

@miekg Do you know of any initiatives to rectify this or maybe dns development community doesn't see a need for such tests ?

There has been efforts, but they stalled. Also because the spec is ambigous and
large it's impossible to even define such a thing in the first place.

miekg picture miekg on 25 Sep 2019
😄3

That's sad, I think we can close this issue. Thank you all :)

fredericosilva picture fredericosilva on 27 Sep 2019
1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

SuperQ picture SuperQ  路  5Comments
miekg picture miekg  路  4Comments
msschl picture msschl  路  6Comments
miekg picture miekg  路  3Comments
ghost picture ghost  路  6Comments