xref: /netbsd-src/external/bsd/nsd/dist/doc/differences.tex (revision e2d5644acf1561cc97b6a8c8d51fddf773bb3a81)
1d83a80eeSchristos% DIFFERENCES NSD 3 and other name servers.
2d83a80eeSchristos\documentclass[twoside,titlepage,english]{nlnetlabs}
3d83a80eeSchristos\newcites{rfc}{RFC references}
4d83a80eeSchristos
5d83a80eeSchristos\def\nlnetlabsno{2006-004}
6d83a80eeSchristos
7*e2d5644aSchristos\rcsdetails{$Id: differences.tex,v 1.2 2022/09/24 17:38:17 christos Exp $}
8d83a80eeSchristos% Prints RCS details at the bottom of the page.
9d83a80eeSchristos
10d83a80eeSchristos\title{Response Differences between\\ NSD and other DNS Servers}
11d83a80eeSchristos\author{
12d83a80eeSchristos	%This escape is needed. Because of wrapping by hyperref
13d83a80eeSchristos	\texorpdfstring{
14d83a80eeSchristos		Jelte Jansen\thanks{\href{mailto:jelte@nlnetlabs.nl}{jelte@nlnetlabs.nl}},
15d83a80eeSchristos		\textsl{NLnet Labs}\\
16d83a80eeSchristos		Wouter Wijngaards\thanks{\href{mailto:wouter@nlnetlabs.nl}{wouter@nlnetlabs.nl}},
17d83a80eeSchristos		\textsl{NLnet Labs}
18d83a80eeSchristos	}
19d83a80eeSchristos	{Jelte Jansen, Wouter C.A. Wijngaards}
20d83a80eeSchristos}
21d83a80eeSchristos\date{
22d83a80eeSchristos	\today
23d83a80eeSchristos}
24d83a80eeSchristos
25d83a80eeSchristos\begin{document}
26d83a80eeSchristos\flushbottom
27d83a80eeSchristos\maketitle{}
28d83a80eeSchristos
29d83a80eeSchristos\begin{abstract}
30d83a80eeSchristosThis note describes observed differences in responses between NSD and
31d83a80eeSchristosother DNS server implementations. NSD 3.0.0 is compared to NSD 2.3.6,
32d83a80eeSchristosBIND 8.4.7 and BIND 9.3.2. Differences in answers to captured queries from
33d83a80eeSchristosresolvers are tallied and analyzed. No interoperability problems are found.
34d83a80eeSchristos\end{abstract}
35d83a80eeSchristos
36d83a80eeSchristos
37d83a80eeSchristos\tableofcontents
38d83a80eeSchristos\newpage
39d83a80eeSchristos
40d83a80eeSchristos\section{Introduction}
41d83a80eeSchristos
42d83a80eeSchristosThe NSD name server is compared to other DNS server implementations
43d83a80eeSchristosin order to assess server interoperability.
44d83a80eeSchristosThe goal is to observe differences in the answers that the name servers
45d83a80eeSchristosprovide. These differences are categorized and counted.
46d83a80eeSchristos
47d83a80eeSchristosWe used BIND 8 and BIND 9 versions to compare against. Also regression
48d83a80eeSchristostests have been run on our testlab, comparing NSD 2 versus NSD 3.
49d83a80eeSchristos
50d83a80eeSchristosOur method uses a set of queries captured from production name servers.
51d83a80eeSchristosThese queries are sent over UDP to a name server set up to serve a
52d83a80eeSchristosparticular zone. Then the responses from the name server are recorded.
53d83a80eeSchristosFor every query, the different answers provided by the server
54d83a80eeSchristosimplementations are compared.
55d83a80eeSchristos
56d83a80eeSchristosUnparseable answers and no answers from the servers are handled
57d83a80eeSchristosidentically by the comparison software. This is not a problem because
58d83a80eeSchristosboth BIND and NSD are mature and stable DNS implementations, all answers
59d83a80eeSchristosthey send are parseable. Only in a very few cases, where the query is
60d83a80eeSchristosvery badly formed, no answers are sent back.
61d83a80eeSchristos
62d83a80eeSchristosThe differences are found by replaying captured DNS query traces from
63d83a80eeSchristosthe NL TLD and from the root zone against different name servers. The
64d83a80eeSchristosdifferences in the answers are then analyzed, by first performing a
65d83a80eeSchristosbyte-comparison on the packets. If the packets are binary different,
66d83a80eeSchristosthe contents are parsed, thus removing differences in domain name
67d83a80eeSchristoscompression, and normalized (sorted, lowercase) in presentation. If the
68d83a80eeSchristosresults do not match after normalization, then a list of difference
69d83a80eeSchristoscategories is consulted. The difference is classified as the first
70d83a80eeSchristoscategory that matches. If a difference in answers does not match any
71d83a80eeSchristoscategory, then the process stops and the user is notified. All the
72d83a80eeSchristosdifferences are categorized for the traces we present.
73d83a80eeSchristos
74d83a80eeSchristosIn addition, we gratefully made use of the PROTOS DNS tool developed
75d83a80eeSchristosat the University of Oulu which they made publicly available at
76d83a80eeSchristos\href{http://www.ee.oulu.fi/research/ouspg/protos/testing/c09/dns}
77d83a80eeSchristos{the protos webpage}\footnote{http://www.ee.oulu.fi/research/ouspg/protos/testing/c09/dns}
78d83a80eeSchristosand played the queries against the authoritative name servers.
79d83a80eeSchristosWe fixed a packet parsing error in NSD3-prerelease and both NSD3 and
80d83a80eeSchristosBIND 9.3.2 remained running and responsive.
81d83a80eeSchristos
82d83a80eeSchristosAdditionally we used the faulty DNS query traces in the wiki-ethereal
83d83a80eeSchristosrepository. These can be found in \href{http://wiki.ethereal.com/SampleCaptures}
84d83a80eeSchristos{the ethereal wiki}\footnote{http://wiki.ethereal.com/SampleCaptures}.
85d83a80eeSchristosThese traces posed no problem for BIND and NSD, mostly FORMERR answers.
86d83a80eeSchristos
87d83a80eeSchristosA previous document DIFFERENCES between BIND 8.4.4 and NSD 2.0.0 can be found
88d83a80eeSchristosin the NSD 2.x package.
89d83a80eeSchristos
90d83a80eeSchristosIn the places where differences have been found between BIND and NSD,
91d83a80eeSchristosin the authors' opinion, no interoperability problems result for resolvers.
92d83a80eeSchristos
93d83a80eeSchristos
94d83a80eeSchristos\section{Response differences between BIND 9.3.2 and NSD 3.0.0}
95d83a80eeSchristos
96d83a80eeSchristosIn this section the response differences between BIND 9.3.2 and NSD 3.0.0
97d83a80eeSchristosare presented and analyzed. We start in Section~\ref{root_b932nsd3} and
98d83a80eeSchristosSection~\ref{nl_b932nsd3} with presenting
99d83a80eeSchristosthe difference statistics for two test traces. Then in
100d83a80eeSchristosSection~\ref{sec:features} and Section~\ref{sec:funcdiff}
101d83a80eeSchristosthe difference categories are explained in more detail.
102d83a80eeSchristos
103d83a80eeSchristos
104d83a80eeSchristos\subsection{Comparison of responses to root queries}
105d83a80eeSchristos\label{root_b932nsd3}
106d83a80eeSchristos
107d83a80eeSchristosComparison between NSD 3.0.0 and BIND 9.3.2 for a root trace.
108d83a80eeSchristos
109d83a80eeSchristos\begin{tabular}{lrr}
110d83a80eeSchristos{\em difference}			& {\em packets} & {\em \%diff}	\\
111d83a80eeSchristosd-additional (\ref{d-additional}) 	&        455607 & 59.19\%	\\
112d83a80eeSchristosn-clrdobit (\ref{n-clrdobit})		&        208389 & 27.07\%	\\
113d83a80eeSchristosb-soattl (\ref{b-soattl})		&        101707 & 13.21\%	\\
114d83a80eeSchristosn-update (\ref{n-update})		&          1858 & 0.24\%	\\
115d83a80eeSchristosd-hostname (\ref{d-hostname})		&          1032 & 0.13\%	\\
116d83a80eeSchristosd-formerrquery (\ref{d-formerrquery})	&           773 & 0.10\%	\\
117d83a80eeSchristosb-class0 (\ref{b-class0})		&           264 & 0.03\%	\\
118d83a80eeSchristosd-refusedquery (\ref{d-refusedquery})	&            79 & 0.01\%	\\
119d83a80eeSchristosd-notify (\ref{d-notify})		&            18 & 0.00\%	\\
120d83a80eeSchristosb-mailb (\ref{b-mailb})			&             7 & 0.00\%	\\
121d83a80eeSchristosn-tcinquery (\ref{n-tcinquery})		&             6 & 0.00\%	\\
122d83a80eeSchristosb-classany-nxdomain (\ref{b-classany-nxdomain})	&     5 & 0.00\%	\\
123d83a80eeSchristosd-badqueryflags (\ref{d-badqueryflags})	&             4 & 0.00\%	\\
124d83a80eeSchristosn-ixfr-notimpl (\ref{n-ixfr-notimpl})	&             3 & 0.00\%	\\
125d83a80eeSchristosd-version (\ref{d-version})		&             1 & 0.00\%	\\
126d83a80eeSchristosTotal number of differences:            &        769753 & 100\%	\\
127d83a80eeSchristosNumber of packets the same after normalization:&1474863	\\
128d83a80eeSchristosNumber of packets exactly the same on the wire:&  59161	\\
129d83a80eeSchristosTotal number of packets inspected:             &2244616	\\
130d83a80eeSchristos\end{tabular}
131d83a80eeSchristos
132d83a80eeSchristosFor each type of difference the number of packets in the trace that
133d83a80eeSchristosmatch that difference are shown. The section where that difference
134d83a80eeSchristosis analyzed is shown in parenthesis after the difference name.
135d83a80eeSchristosThe percentage of differences
136d83a80eeSchristosexplained by the difference category is listed.  Adding up the packets
137d83a80eeSchristosthat are different gives the total number of differences, or 100\%
138d83a80eeSchristosof the differences.
139d83a80eeSchristos
140d83a80eeSchristosThe number of packets after normalization includes the number of
141d83a80eeSchristospackets that are the same on the wire.
142d83a80eeSchristosThe total number of query packets is displayed at the bottom of the table.
143d83a80eeSchristos
144d83a80eeSchristos
145d83a80eeSchristos\subsection{Comparison of responses to NL TLD queries}
146d83a80eeSchristos\label{nl_b932nsd3}
147d83a80eeSchristos
148d83a80eeSchristosComparison between NSD 3.0.0 and BIND 9.3.2, for a trace for .nl.
149d83a80eeSchristos
150d83a80eeSchristos\begin{tabular}{lrr}
151d83a80eeSchristos{\em difference}                        & {\em packets} & {\em \%diff} \\
152d83a80eeSchristosd-unknown-opcode (\ref{d-unknown-opcode})               &     2541 & 26.44\% \\
153d83a80eeSchristosb-badquery-badanswer (\ref{b-badquery-badanswer})               &     1817 & 18.91\% \\
154d83a80eeSchristosn-clrdobit (\ref{n-clrdobit})           &     1495 & 15.56\% \\
155d83a80eeSchristosb-soattl (\ref{b-soattl})               &     1120 & 11.65\% \\
156d83a80eeSchristosn-update (\ref{n-update})               &      990 & 10.30\% \\
157d83a80eeSchristosd-badqueryflags (\ref{d-badqueryflags})         &      847 & 8.81\% \\
158d83a80eeSchristosd-hostname (\ref{d-hostname})           &      531 & 5.52\% \\
159d83a80eeSchristosd-notify (\ref{d-notify})               &       98 & 1.02\% \\
160d83a80eeSchristosb-upwards-ref (\ref{b-upwards-ref})             &       78 & 0.81\% \\
161d83a80eeSchristosn-clrcdbit (\ref{n-clrcdbit})           &       63 & 0.66\% \\
162d83a80eeSchristosd-version (\ref{d-version})             &       22 & 0.23\% \\
163d83a80eeSchristosb-noglue-nsquery (\ref{b-noglue-nsquery})               &        8 & 0.08\% \\
164d83a80eeSchristosb8-badedns0 (\ref{b8-badedns0})         &        1 & 0.01\% \\
165d83a80eeSchristosTotal number of differences: & 9611 & 100\% \\
166d83a80eeSchristosNumber of packets the same after normalization: & 90389 \\
167d83a80eeSchristosNumber of packets exactly the same on the wire: & 52336 \\
168d83a80eeSchristosTotal number of packets inspected: & 100000 \\
169d83a80eeSchristos\end{tabular}
170d83a80eeSchristos
171d83a80eeSchristos\subsection{Features}
172d83a80eeSchristos\label{sec:features}
173d83a80eeSchristos
174d83a80eeSchristosIn this section we enumerate a number of differences between
175d83a80eeSchristosBIND 9.3.2 and NSD 3.0.0 that cannot be immediately explained
176d83a80eeSchristosas design choices. These features could be seen as bugs in software
177d83a80eeSchristosor protocol specs, except that they do not lead to interoperability
178d83a80eeSchristosproblems.
179d83a80eeSchristos
180d83a80eeSchristos
181d83a80eeSchristos\subsubsection{n-clrdobit - NSD clears DO bit in response}
182d83a80eeSchristos\label{n-clrdobit}
183d83a80eeSchristos
184d83a80eeSchristosNSD clears the DO bit in answers to queries with the DO bit. BIND copies the
185d83a80eeSchristosDO bit to the answer.
186d83a80eeSchristos
187d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:}
188d83a80eeSchristos
189d83a80eeSchristosIn RFC4035\cite{rfc4035} the DO bit is not specified for answers. In the examples section
190d83a80eeSchristosof that RFC the DO bit is shown for signed dig responses, although this could
191d83a80eeSchristosrefer to the query or the answer. NSD clears the DO bit for all answers, a
192d83a80eeSchristosdecision based on speed: the EDNS record sent back by NSD is precompiled and
193d83a80eeSchristosnot modified during answer processing.
194d83a80eeSchristos
195d83a80eeSchristos
196d83a80eeSchristos\subsubsection{n-clrcdbit - NSD clears CD bit in response}
197d83a80eeSchristos\label{n-clrcdbit}
198d83a80eeSchristos
199d83a80eeSchristosNSD clears the CD bit in answers to queries with the CD bit. BIND copies the
200d83a80eeSchristosCD bit to the answer.
201d83a80eeSchristos
202d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:}
203d83a80eeSchristos
204d83a80eeSchristosRFC 4035\cite{rfc4035} asserts that the CD bit must be cleared for
205d83a80eeSchristosauthoritative answers. The CD bit should be copied into the answer
206d83a80eeSchristosby recursive servers. BIND copies the CD bit for some formerr queries.
207d83a80eeSchristos
208d83a80eeSchristos
209d83a80eeSchristos\subsubsection{b-class0 - CLASS0 formerr in BIND}
210d83a80eeSchristos\label{b-class0}
211d83a80eeSchristos
212d83a80eeSchristosFor CLASS0, you can get either FORMERR, from BIND or REFUSED, from NSD.
213d83a80eeSchristos
214d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:}
215d83a80eeSchristos
216d83a80eeSchristosDifference in interpretation of the RFCs, a CLASS value of 0 is interpreted
217d83a80eeSchristosas a syntax error by BIND but as another valid class (that is not served)
218d83a80eeSchristosby NSD. Resolvers are unaffected for CLASS IN.
219d83a80eeSchristos
220d83a80eeSchristos
221d83a80eeSchristos\subsubsection{n-tcinquery - TC bit in query is formerr for NSD}
222d83a80eeSchristos\label{n-tcinquery}
223d83a80eeSchristos
224d83a80eeSchristosNSD returns FORMERR if tc bit is set in query.
225d83a80eeSchristos
226d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:}
227d83a80eeSchristos
228d83a80eeSchristosQueries cannot be longer than 512 octets, since the DNS header is short
229d83a80eeSchristosand the query DNS name has a maximum length of 255 octets. Thus
230d83a80eeSchristosTC (TrunCation) cannot happen. Only one question per query packet is
231d83a80eeSchristosanswered by NSD, this is a design decision.
232d83a80eeSchristos
233d83a80eeSchristosSome update, ixfr request, notify, gss-tsig TKEY sequence queries could
234d83a80eeSchristostheoretically carry longer data in the query from the client. In practice
235d83a80eeSchristosthis does not happen, as 255 octet uncompressed names are not used.
236d83a80eeSchristosIf this were to happen, the client could attempt a TCP connection
237d83a80eeSchristosimmediately instead of setting a TC bit, or use EDNS0 to send longer packets.
238d83a80eeSchristos
239d83a80eeSchristosIn this NSD is more strict in validation than BIND.
240d83a80eeSchristos
241d83a80eeSchristos
242d83a80eeSchristos\subsubsection{b-soattl - BIND sets SOA TTL in authority section to 0 for SOA queries}
243d83a80eeSchristos\label{b-soattl}
244d83a80eeSchristos
245d83a80eeSchristosThis happens when asking for the SOA for a domain that is not served.
246d83a80eeSchristos
247d83a80eeSchristos\footnotesize
248d83a80eeSchristos\begin{verbatim}
249d83a80eeSchristosQuery:
250d83a80eeSchristos;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
251d83a80eeSchristos;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
252d83a80eeSchristos;; QUESTION SECTION:
253d83a80eeSchristos;; foo.bar.     IN      SOA
254d83a80eeSchristos\end{verbatim}
255d83a80eeSchristos\normalsize
256d83a80eeSchristos
257d83a80eeSchristos
258d83a80eeSchristosAnswer from BIND 9.3.2:
259d83a80eeSchristos
260d83a80eeSchristos\footnotesize
261d83a80eeSchristos\begin{verbatim}
262d83a80eeSchristos;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 6097
263d83a80eeSchristos;; flags: qr aa rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
264d83a80eeSchristos;; QUESTION SECTION:
265d83a80eeSchristos;; foo.bar.     IN      SOA
266d83a80eeSchristos
267d83a80eeSchristos;; ANSWER SECTION:
268d83a80eeSchristos
269d83a80eeSchristos;; AUTHORITY SECTION:
270d83a80eeSchristos.       0       IN      SOA     A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. (
271d83a80eeSchristos	2006072801 1800 900 604800 86400)
272d83a80eeSchristos
273d83a80eeSchristos;; ADDITIONAL SECTION:
274d83a80eeSchristos
275d83a80eeSchristos;; Query time: 10 msec
276d83a80eeSchristos;; SERVER: 127.0.0.1
277d83a80eeSchristos;; WHEN: Wed Aug 23 13:52:36 2006
278d83a80eeSchristos;; MSG SIZE  rcvd: 100
279d83a80eeSchristos\end{verbatim}
280d83a80eeSchristos\normalsize
281d83a80eeSchristos
282d83a80eeSchristosAnswer from NSD 3:
283d83a80eeSchristos
284d83a80eeSchristos\footnotesize
285d83a80eeSchristos\begin{verbatim}
286d83a80eeSchristos;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 26095
287d83a80eeSchristos;; flags: qr aa rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
288d83a80eeSchristos;; QUESTION SECTION:
289d83a80eeSchristos;; foo.bar.     IN      SOA
290d83a80eeSchristos
291d83a80eeSchristos;; ANSWER SECTION:
292d83a80eeSchristos
293d83a80eeSchristos;; AUTHORITY SECTION:
294d83a80eeSchristos.       86400   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. (
295d83a80eeSchristos	2006072801 1800 900 604800 86400)
296d83a80eeSchristos
297d83a80eeSchristos;; ADDITIONAL SECTION:
298d83a80eeSchristos
299d83a80eeSchristos;; Query time: 60 msec
300d83a80eeSchristos;; SERVER: 127.0.0.1
301d83a80eeSchristos;; WHEN: Wed Aug 23 13:53:30 2006
302d83a80eeSchristos;; MSG SIZE  rcvd: 100
303d83a80eeSchristos\end{verbatim}
304d83a80eeSchristos\normalsize
305d83a80eeSchristos
306d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:}
307d83a80eeSchristos
308d83a80eeSchristosBIND conforms to internet-draft draft-andrews-dnsext-soa-discovery which
309d83a80eeSchristoshas at the moment of code development not (yet) been published as RFC.
310d83a80eeSchristosNSD conforms to the RFCs.
311d83a80eeSchristos
312d83a80eeSchristos
313d83a80eeSchristos\subsubsection{b-classany-nxdomain - BIND gives an auth answer for class ANY nxdomain}
314d83a80eeSchristos\label{b-classany-nxdomain}
315d83a80eeSchristos
316d83a80eeSchristosA difference in behaviour for CLASS=ANY queries. For existing domains both
317d83a80eeSchristosBIND and NSD reply with AA bit cleared. For not existing domains (nxdomain)
318d83a80eeSchristosNSD replies with AA bit cleared. BIND replies with AA bit on and includes a
319d83a80eeSchristosSOA (CLASS=IN) for the zone, as for an authoritative nxdomain.
320d83a80eeSchristos
321d83a80eeSchristosQuery:
322d83a80eeSchristos
323d83a80eeSchristos\footnotesize
324d83a80eeSchristos\begin{verbatim}
325d83a80eeSchristos;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 13328
326d83a80eeSchristos;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
327d83a80eeSchristos;; QUESTION SECTION:
328d83a80eeSchristos;; nslabs.ruO.  ANY     MX
329d83a80eeSchristos\end{verbatim}
330d83a80eeSchristos\normalsize
331d83a80eeSchristos
332d83a80eeSchristosAnswer from BIND 9.3.2:
333d83a80eeSchristos
334d83a80eeSchristos\footnotesize
335d83a80eeSchristos\begin{verbatim}
336d83a80eeSchristos;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 13328
337d83a80eeSchristos;; flags: qr aa ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
338d83a80eeSchristos;; QUESTION SECTION:
339d83a80eeSchristos;; nslabs.ruo.  ANY     MX
340d83a80eeSchristos
341d83a80eeSchristos;; ANSWER SECTION:
342d83a80eeSchristos
343d83a80eeSchristos;; AUTHORITY SECTION:
344d83a80eeSchristos.       86400   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. (
345d83a80eeSchristos	2006072801 1800 900 604800 86400)
346d83a80eeSchristos
347d83a80eeSchristos;; ADDITIONAL SECTION:
348d83a80eeSchristos
349d83a80eeSchristos;; Query time: 0 msec
350d83a80eeSchristos;; WHEN: Wed Aug 23 13:58:51 2006
351d83a80eeSchristos;; MSG SIZE  rcvd: 103
352d83a80eeSchristos\end{verbatim}
353d83a80eeSchristos\normalsize
354d83a80eeSchristos
355d83a80eeSchristosAnswer from NSD 3:
356d83a80eeSchristos
357d83a80eeSchristos\footnotesize
358d83a80eeSchristos\begin{verbatim}
359d83a80eeSchristos;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 13328
360d83a80eeSchristos;; flags: qr ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
361d83a80eeSchristos;; QUESTION SECTION:
362d83a80eeSchristos;; nslabs.ruo.  ANY     MX
363d83a80eeSchristos
364d83a80eeSchristos;; ANSWER SECTION:
365d83a80eeSchristos
366d83a80eeSchristos;; AUTHORITY SECTION:
367d83a80eeSchristos
368d83a80eeSchristos;; ADDITIONAL SECTION:
369d83a80eeSchristos
370d83a80eeSchristos;; Query time: 0 msec
371d83a80eeSchristos;; WHEN: Wed Aug 23 13:58:51 2006
372d83a80eeSchristos;; MSG SIZE  rcvd: 28
373d83a80eeSchristos\end{verbatim}
374d83a80eeSchristos\normalsize
375d83a80eeSchristos
376d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:}
377d83a80eeSchristos
378d83a80eeSchristosFeature of BIND where it answers authoritatively for CLASS ANY
379d83a80eeSchristosnxdomain queries.
380d83a80eeSchristos
381d83a80eeSchristos
382d83a80eeSchristos\subsubsection{b-badquery-badanswer - BIND replies with bad answer for
383d83a80eeSchristos                            some bad queries}
384d83a80eeSchristos\label{b-badquery-badanswer}
385d83a80eeSchristos
386d83a80eeSchristosBIND replies with an answer packet that cannot be parsed, or does
387d83a80eeSchristosnot answer at all. NSD always generates
388d83a80eeSchristosan answer, with the appropriate RCODE (mostly NOTIMPL and FORMERR, but
389d83a80eeSchristosalso NXDOMAIN to NOTIFY queries). All these queries are malformed in
390d83a80eeSchristossome way.
391d83a80eeSchristos
392d83a80eeSchristosA (very simple) example of a query without an answer
393d83a80eeSchristosis a query packet of 18 zero bytes. For some queries no answer
394d83a80eeSchristosonly happens when BIND is presented with a trace of queries, not for
395d83a80eeSchristosa single query.
396d83a80eeSchristos
397d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:}
398d83a80eeSchristos
399d83a80eeSchristosBIND includes (part of) the unparseable question into the answer, or
400d83a80eeSchristossome internal state of BIND is affected by earlier queries.
401d83a80eeSchristos
402d83a80eeSchristosNSD manages to answer the malformed query. Note that NSD does not answer
403d83a80eeSchristosqueries that are too short, or that have the QR bit set. NSD tries to be
404d83a80eeSchristosas liberal in what it accepts as possible.
405d83a80eeSchristos
406d83a80eeSchristos
407d83a80eeSchristos\subsection{Functionality Differences}
408d83a80eeSchristos\label{sec:funcdiff}
409d83a80eeSchristos
410d83a80eeSchristosThe next group of differences are due to the fact that NSD does not
411d83a80eeSchristosimplement some functionality that is requested by resolvers.  This
412d83a80eeSchristosis a design choice and should not cause resolver problems at all,
413d83a80eeSchristossince responses to those requests are within protocol specs.
414d83a80eeSchristos
415d83a80eeSchristos
416d83a80eeSchristos\subsubsection{d-notify - different NOTIFY errors}
417d83a80eeSchristos\label{d-notify}
418d83a80eeSchristos
419d83a80eeSchristosBIND and NSD give different errors for notify queries. The servers are started
420d83a80eeSchristoswithout any configuration for access control on notify. For notify messages
421d83a80eeSchristosaimed at a zone that is served, BIND 9.3.2 returns a NOERROR answer, and
422d83a80eeSchristosNSD 3 returns NOTAUTH. For notify messages on a zone that is not served
423d83a80eeSchristos(in-addr.arpa.) BIND 9.3.2 returns NOTAUTH and NSD 3 returns NXDOMAIN.
424d83a80eeSchristos
425d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:}
426d83a80eeSchristos
427d83a80eeSchristosDefault configuration differs between the two packages. NSD is more strict.
428d83a80eeSchristosError codes are different, the tools that send notifies are not affected.
429d83a80eeSchristos
430d83a80eeSchristos
431d83a80eeSchristos\subsubsection{n-update - NSD does not implement dynamic update}
432d83a80eeSchristos\label{n-update}
433d83a80eeSchristos
434d83a80eeSchristosFor UPDATE, you can get either REFUSED/NXRRSET/other RCODE from BIND 9.3.2 or
435d83a80eeSchristosNOTIMPL from nsd3.
436d83a80eeSchristos
437d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:}
438d83a80eeSchristos
439d83a80eeSchristosNSD does not implement dynamic update.
440d83a80eeSchristos
441d83a80eeSchristos
442d83a80eeSchristos\subsubsection{b-mailb - BIND does not implement MAILB}
443d83a80eeSchristos\label{b-mailb}
444d83a80eeSchristos
445d83a80eeSchristosFor MAILB, you can get either NOTIMPL(BIND 9) or NOERROR/NXDOMAIN(NSD 3).
446d83a80eeSchristos
447d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:}
448d83a80eeSchristos
449d83a80eeSchristosBIND does not implement queries for the MAILB type. NSD treats it as
450d83a80eeSchristosone of the RRTYPEs. MAILB is obsoleted by RFCs, the MX type is
451d83a80eeSchristosused to transfer mail information now.
452d83a80eeSchristos
453d83a80eeSchristos
454d83a80eeSchristos\subsubsection{d-version - BIND returns servfail on version.server queries}
455d83a80eeSchristos\label{d-version}
456d83a80eeSchristos
457d83a80eeSchristosNSD returns version.server query, BIND returns servfail.
458d83a80eeSchristos
459d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:}
460d83a80eeSchristos
461d83a80eeSchristosBoth NSD and BIND return version.bind queries of the chaos class.
462d83a80eeSchristosThese queries differ in the version number they return, of course.
463d83a80eeSchristosBIND does not return version.server queries. This is a design decision
464d83a80eeSchristoson the part of NSD to return version.server queries with the same answer.
465d83a80eeSchristos
466d83a80eeSchristos
467d83a80eeSchristos\subsubsection{d-additional - Different additional section on truncated answers}
468d83a80eeSchristos\label{d-additional}
469d83a80eeSchristos
470d83a80eeSchristosNSD and BIND return different additional sections on truncated answers
471d83a80eeSchristosto queries from the root. These answers are 480+ bytes long.
472d83a80eeSchristos
473d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:}
474d83a80eeSchristos
475d83a80eeSchristosNot all the A and AAAA data fits into the additional section of the answer.
476d83a80eeSchristosBIND includes different names than NSD does, and BIND is observed to sometimes
477d83a80eeSchristosinclude one more AAAA record, less A records in the additional section.
478d83a80eeSchristosResolvers should be unaffected.
479d83a80eeSchristos
480d83a80eeSchristos
481d83a80eeSchristos\subsubsection{d-refusedquery - BIND includes query section in REFUSED answers}
482d83a80eeSchristos\label{d-refusedquery}
483d83a80eeSchristos
484d83a80eeSchristosBIND includes the query sent for REFUSED answers. NSD replies with only
485d83a80eeSchristosthe DNS header section.
486d83a80eeSchristos
487d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:}
488d83a80eeSchristos
489d83a80eeSchristosThe resolver must inspect the query ID. The error code provides sufficient
490d83a80eeSchristosinformation. Sending the header makes NSD replies smaller and thus more
491d83a80eeSchristosresilient to DoS attacks.
492d83a80eeSchristos
493d83a80eeSchristos
494d83a80eeSchristos\subsubsection{d-hostname - BIND adds a NS record for hostname.bind}
495d83a80eeSchristos\label{d-hostname}
496d83a80eeSchristos
497d83a80eeSchristosBIND includes an additional RR in the authority section of the reply:
498d83a80eeSchristos\footnotesize
499d83a80eeSchristos\begin{verbatim}
500d83a80eeSchristoshostname.bind. 0 CH NS hostname.bind.
501d83a80eeSchristos\end{verbatim}
502d83a80eeSchristos\normalsize
503d83a80eeSchristos
504d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:}
505d83a80eeSchristos
506d83a80eeSchristosThe RR seems useless. NSD does not include it.
507d83a80eeSchristos
508d83a80eeSchristos
509d83a80eeSchristos\subsubsection{n-ixfr-notimpl - NSD does not implement IXFR}
510d83a80eeSchristos\label{n-ixfr-notimpl}
511d83a80eeSchristos
512d83a80eeSchristosTo queries for IXFR BIND responds with a valid answer (the latest SOA)
513d83a80eeSchristosand NSD responds with NOTIMPL error.
514d83a80eeSchristos
515d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:}
516d83a80eeSchristos
517d83a80eeSchristosNSD 3.0.0 does not implement IXFR. It returns NOTIMPL by design.
518d83a80eeSchristos
519d83a80eeSchristos
520d83a80eeSchristos\subsubsection{d-formerrquery - BIND includes query section in FORMERR answers}
521d83a80eeSchristos\label{d-formerrquery}
522d83a80eeSchristos
523d83a80eeSchristosBIND includes the query sent for FORMERR answers. NSD replies with only
524d83a80eeSchristosthe DNS header section. For some queries, NSD includes an EDNS record in
525d83a80eeSchristosthe reply if there was a recognizable EDNS record in the query.
526d83a80eeSchristos
527d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:}
528d83a80eeSchristos
529d83a80eeSchristosThe resolver must inspect the query ID. The error code provides sufficient
530d83a80eeSchristosinformation. Sending the header makes NSD replies smaller and thus more
531d83a80eeSchristosresilient to DoS attacks.
532d83a80eeSchristos
533d83a80eeSchristos
534d83a80eeSchristos\subsubsection{d-badqueryflags - BIND includes query section in FORMERR answers}
535d83a80eeSchristos\label{d-badqueryflags}
536d83a80eeSchristos
537d83a80eeSchristosBIND includes the query section in reply to unparseable queries. NSD does not.
538d83a80eeSchristos
539d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:}
540d83a80eeSchristos
541d83a80eeSchristosSame as d-formerrquery (\ref{d-formerrquery}), but the implementation of the comparison
542d83a80eeSchristossoftware could not parse the query either, thus a separate label.
543d83a80eeSchristos
544d83a80eeSchristos
545d83a80eeSchristos\subsubsection{d-unknown-class - BIND includes query section in answers to unknown class}
546d83a80eeSchristos\label{d-unknown-class}
547d83a80eeSchristos
548d83a80eeSchristosFor queries with an unknown class in the query, BIND includes the query section
549d83a80eeSchristosin the answer. NSD does not.
550d83a80eeSchristos
551d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:}
552d83a80eeSchristos
553d83a80eeSchristosSame as d-formerrquery (\ref{d-formerrquery}), but for a different error.
554d83a80eeSchristos
555d83a80eeSchristos
556d83a80eeSchristos\subsubsection{d-unknown-opcode - NSD returns NOTIMPL for unknown opcode}
557d83a80eeSchristos\label{d-unknown-opcode}
558d83a80eeSchristos
559d83a80eeSchristosFor queries that are bad packets, with malformed RRs, with an unknown opcode,
560d83a80eeSchristosBIND returns a FORMERR, but NSD gives up after checking the opcode and
561d83a80eeSchristosreturns NOTIMPL.  NSD copies the flags from the query, and turns on the
562d83a80eeSchristosQR (query response) bit, BIND zeroes some of the flags.
563d83a80eeSchristos
564d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:}
565d83a80eeSchristos
566d83a80eeSchristosNOTIMPL is appropriate since NSD does not implement whatever functionality
567d83a80eeSchristosis being looked for.
568d83a80eeSchristos
569d83a80eeSchristos
570d83a80eeSchristos\subsubsection{b-upwards-ref - BIND returns root delegation}
571d83a80eeSchristos\label{b-upwards-ref}
572d83a80eeSchristos
573d83a80eeSchristosFor queries to a domain that is not served, which can only have arrived at
574d83a80eeSchristosthis server due to a lame delegation, BIND returns a root delegation. NSD
575d83a80eeSchristosreturns SERVFAIL.
576d83a80eeSchristos
577d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:}
578d83a80eeSchristos
579d83a80eeSchristosBy design, NSD does not know the root-servers.  NSD is unable to reply as
580d83a80eeSchristosthe zone is not configured, hence the SERVFAIL. This is also discussed in
581d83a80eeSchristosthe REQUIREMENTS document for NSD.
582d83a80eeSchristos
583d83a80eeSchristos
584d83a80eeSchristos\subsubsection{b-noglue-nsquery - BIND returns no glue for NS queries}
585d83a80eeSchristos\label{b-noglue-nsquery}
586d83a80eeSchristos
587d83a80eeSchristosFor queries for the NS records of the zone, BIND does not include glue
588d83a80eeSchristosfor the NS records. NSD includes glue for the NS servers that lie within
589d83a80eeSchristosthe zone.
590d83a80eeSchristos
591d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:}
592d83a80eeSchristos
593d83a80eeSchristosThe glue saves a followup query.
594d83a80eeSchristos
595d83a80eeSchristos
596d83a80eeSchristos\subsubsection{d-noquestion - different error on no question}
597d83a80eeSchristos\label{d-noquestion}
598d83a80eeSchristos
599d83a80eeSchristosFor queries without a question section the error code differs.
600d83a80eeSchristosNSD considers it a FORMERR. BIND returns REFUSED.
601d83a80eeSchristos
602d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:}
603d83a80eeSchristos
604d83a80eeSchristosError code not specified for this corner case. No problems for resolvers.
605d83a80eeSchristos
606d83a80eeSchristos
607d83a80eeSchristos\subsubsection{b-uchar - BIND returns FORMERR on strange characters}
608d83a80eeSchristos\label{b-uchar}
609d83a80eeSchristos
610d83a80eeSchristosBIND returns FORMERR on strange characters in the query, such as
611d83a80eeSchristos0x00, 0xff, 0xe4, 0x20, 0x40 and so on.
612d83a80eeSchristos
613d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:}
614d83a80eeSchristos
615d83a80eeSchristosNSD does not give a formerr on these queries, it processes them.
616d83a80eeSchristosNSD normalizes names to lower case. Otherwise leaves them untouched.
617d83a80eeSchristosBIND preserves case in answers. Choice made in REQUIREMENTS for NSD,
618d83a80eeSchristosalso see RFC1035\cite{rfc1035} 2.3.3.
619d83a80eeSchristos
620d83a80eeSchristos
621d83a80eeSchristos\section{Response differences between NSD 2.3.6 and NSD 3.0.0}
622d83a80eeSchristos
623d83a80eeSchristosThe differences between NSD 2.3.6 and NSD 3.0.0 are listed below. All are due
624d83a80eeSchristosto version number changes and new features in NSD 3.
625d83a80eeSchristos
626d83a80eeSchristos
627d83a80eeSchristos\subsection{Comparison of responses in root trace}
628d83a80eeSchristos
629d83a80eeSchristosDifferences between NSD 2.3.6 and NSD 3.0.0 for a root trace.
630d83a80eeSchristosNote that apart from the 26 packets that are different, all responses are
631d83a80eeSchristosbinary the same on the wire between the two versions of NSD.
632d83a80eeSchristos
633d83a80eeSchristos\begin{tabular}{lrr}
634d83a80eeSchristos{\em difference}			& {\em packets} & {\em \%diff}	\\
635d83a80eeSchristosn-notify (\ref{n-notify})               & 19 &  73.08\% \\
636d83a80eeSchristosn-ixfr (\ref{n-ixfr})                   & 3 &  11.54\% \\
637d83a80eeSchristosversion.bind (\ref{nsd-version})       & 3 & 11.54\% \\
638d83a80eeSchristosversion.server (\ref{nsd-version})   & 1  &  3.85\% \\
639d83a80eeSchristosTotal number of differences:            & 26 &  100\% \\
640d83a80eeSchristosNumber of packets the same after normalization:&2244590 \\
641d83a80eeSchristosNumber of packets exactly the same on the wire:&2244590 \\
642d83a80eeSchristosTotal number of packets inspected:             &2244616 \\
643d83a80eeSchristos\end{tabular}
644d83a80eeSchristos
645d83a80eeSchristos
646d83a80eeSchristos\subsection{Comparison of responses in NL TLD trace}
647d83a80eeSchristos
648d83a80eeSchristosDifferences between NSD 2.3.6 and NSD 3.0.0 for a nl. trace.
649d83a80eeSchristosNote that apart from the 311 packets that are different, all responses are
650d83a80eeSchristosbinary the same on the wire between the two versions of NSD.
651d83a80eeSchristos
652d83a80eeSchristos\begin{tabular}{lrr}
653d83a80eeSchristos{\em difference}			& {\em packets} & {\em \%diff}	\\
654d83a80eeSchristosn-notify (\ref{n-notify}) 		& 289 & 92.93\% \\
655d83a80eeSchristosversion.bind (\ref{nsd-version}) 	& 22  & 7.07\% \\
656d83a80eeSchristosTotal number of differences: 			   & 311 	& 100\% \\
657d83a80eeSchristosNumber of packets the same after normalization:& 99689 \\
658d83a80eeSchristosNumber of packets exactly the same on the wire:& 99689 \\
659d83a80eeSchristosTotal number of packets inspected: 	&100000 \\
660d83a80eeSchristos\end{tabular}
661d83a80eeSchristos
662d83a80eeSchristos
663d83a80eeSchristos\subsection{Version number - version.bind and version.server}
664d83a80eeSchristos\label{nsd-version}
665d83a80eeSchristos
666d83a80eeSchristosTo queries for version.bind and version.server the different implementations
667d83a80eeSchristosreturn a different version number, as they should.
668d83a80eeSchristos
669d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:}
670d83a80eeSchristos
671d83a80eeSchristosExpected. Correct version numbers are returned.
672d83a80eeSchristos
673d83a80eeSchristos
674d83a80eeSchristos\subsection{n-notify - notify not implemented in NSD 2}
675d83a80eeSchristos\label{n-notify}
676d83a80eeSchristos
677d83a80eeSchristosNotifications are handled differently. NSD 2 returns NOTIMPL error code,
678d83a80eeSchristoswhile NSD 3 returns NOTAUTH or NXDOMAIN error codes.
679d83a80eeSchristos
680d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:}
681d83a80eeSchristos
682d83a80eeSchristosDefault config denies all notify queries for NSD 3. These answers are correct
683d83a80eeSchristosfor non-existing and not authorized domains.
684d83a80eeSchristos
685d83a80eeSchristos
686d83a80eeSchristos\subsection{n-ixfr - IXFR error FORMERR in NSD 2}
687d83a80eeSchristos\label{n-ixfr}
688d83a80eeSchristos
689d83a80eeSchristosTo IXFR query questions different error codes are given. The NSD 2
690d83a80eeSchristosgives FORMERR (due to the RR in the authority section). NSD 3 returns
691d83a80eeSchristosNOTIMPL.
692d83a80eeSchristos
693d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:}
694d83a80eeSchristos
695d83a80eeSchristosNeither version of NSD implements IXFR. It is more appropriate to
696d83a80eeSchristosreturn the NOTIMPL error code in that case. Bugfix in NSD.
697d83a80eeSchristos
698d83a80eeSchristos
699d83a80eeSchristos\section{Response differences between BIND 8 and NSD 3.0.0}
700d83a80eeSchristos
701d83a80eeSchristosIn this section the response differences between BIND 8.4.7 and NSD 3.0.0
702d83a80eeSchristosare categorized and analyzed.
703d83a80eeSchristos
704d83a80eeSchristos
705d83a80eeSchristos\subsection{Comparison of responses in root trace}
706d83a80eeSchristos
707d83a80eeSchristosThe differences between BIND 8.4.7 and NSD 3.0.0 when presented
708d83a80eeSchristoswith queries for the root zone are below.
709d83a80eeSchristos
710d83a80eeSchristos\begin{tabular}{lrr}
711d83a80eeSchristos{\em difference}			& {\em packets} & {\em \%diff}	\\
712d83a80eeSchristosn-clrcdbit (\ref{n-clrcdbit})	&         516372 &84.39\% \\
713d83a80eeSchristosd-hostname (\ref{d-hostname})	&         53431  &8.73\% \\
714d83a80eeSchristosd-additional (\ref{d-additional})	& 32526  &5.32\% \\
715d83a80eeSchristosb8-nodata-ttlminup (\ref{b8-nodata-ttlminup})	& 4611  &0.75\% \\
716d83a80eeSchristosn-update (\ref{n-update})	&         1856  &0.30\% \\
717d83a80eeSchristosd-version (\ref{d-version})	&         1033  &0.17\% \\
718d83a80eeSchristosb8-auth-any (\ref{b8-auth-any})	&         519  &0.08\% \\
719d83a80eeSchristosb8-badedns0 (\ref{b8-badedns0})	&         492  &0.08\% \\
720d83a80eeSchristosd-unknown-class (\ref{d-unknown-class})	& 482  &0.08\% \\
721d83a80eeSchristosb-badquery-badanswer (\ref{b-badquery-badanswer})	& 451  &0.07\% \\
722d83a80eeSchristosb-class0 (\ref{b-class0})	&         97  &0.02\% \\
723d83a80eeSchristosd-notify (\ref{d-notify})	&         18  &0.00\% \\
724d83a80eeSchristosb8-ignore-tc-query (\ref{b8-ignore-tc-query})	& 6  &0.00\% \\
725d83a80eeSchristosb8-badquery-ignored (\ref{b8-badquery-ignored})	& 4  &0.00\% \\
726d83a80eeSchristosn-ixfr-notimpl (\ref{n-ixfr-notimpl})	& 3  &0.00\% \\
727d83a80eeSchristosb-soattl (\ref{b-soattl})	&         1  &0.00\% \\
728d83a80eeSchristosTotal number of differences: 		&	 611902	&100\% \\
729d83a80eeSchristosNumber of packets the same after normalization:&1632714 \\
730d83a80eeSchristosNumber of packets exactly the same on the wire:&   2299 \\
731d83a80eeSchristosTotal number of packets inspected: 	       &2244616 \\
732d83a80eeSchristos\end{tabular}
733d83a80eeSchristos
734d83a80eeSchristos
735d83a80eeSchristos\subsection{Comparison of responses in NL TLD trace}
736d83a80eeSchristos
737d83a80eeSchristosThe differences between BIND 8.4.7 and NSD 3.0.0 when presented
738d83a80eeSchristoswith queries for the .nl zone are below.
739d83a80eeSchristos
740d83a80eeSchristos\begin{tabular}{lrr}
741d83a80eeSchristos{\em difference}			& {\em packets} & {\em \%diff}	\\
742d83a80eeSchristosn-clrcdbit        (\ref{n-clrcdbit})         &           2857        &33.53\% \\
743d83a80eeSchristosd-unknown-opcode  (\ref{d-unknown-opcode})   &           2692        &31.59\% \\
744d83a80eeSchristosn-update          (\ref{n-update})           &           1283        &15.06\% \\
745d83a80eeSchristosd-badqueryflags   (\ref{d-badqueryflags})    &            841        &9.87\% \\
746d83a80eeSchristosd-hostname        (\ref{d-hostname})         &            531        &6.23\% \\
747d83a80eeSchristosd-notify          (\ref{d-notify})           &            293        &3.44\% \\
748d83a80eeSchristosd-version         (\ref{d-version})          &             22        &0.26\% \\
749d83a80eeSchristosb-badquery-badanswer (\ref{b-badquery-badanswer}) &         1        &0.01\% \\
750d83a80eeSchristosb8-badedns0          (\ref{b8-badedns0})     &              1        &0.01\% \\
751d83a80eeSchristosTotal number of differences: &8521 &100\% \\
752d83a80eeSchristosNumber of packets the same after normalization:&91479 \\
753d83a80eeSchristosNumber of packets exactly the same on the wire:&90837 \\
754d83a80eeSchristosTotal number of packets inspected:&100000 \\
755d83a80eeSchristos\end{tabular}
756d83a80eeSchristos
757d83a80eeSchristos
758d83a80eeSchristos\subsection{b8-nodata-ttlminup - BIND 8 uses minimum TTL from SOA also if bigger}
759d83a80eeSchristos\label{b8-nodata-ttlminup}
760d83a80eeSchristos
761d83a80eeSchristosFor NXDOMAIN queries in root-servers.net BIND 8 uses the minimum TTL from
762d83a80eeSchristosthe SOA as the TTL of the included SOA RR. However, this minimum TTL is
763d83a80eeSchristoslarger than the original TTL of the SOA, both NSD 2.3.6, NSD 3 and BIND 9
764d83a80eeSchristosuse the smaller of those two values as the TTL of the included SOA.
765d83a80eeSchristos
766d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:}
767d83a80eeSchristos
768d83a80eeSchristosBug in BIND 8 solved in BIND 9.
769d83a80eeSchristos
770d83a80eeSchristos
771d83a80eeSchristos\subsection{b8-badquery-ignored - BIND 8 replies normally for some bad queries}
772d83a80eeSchristos\label{b8-badquery-ignored}
773d83a80eeSchristos
774d83a80eeSchristosBIND8 manages to reply for malformed queries. NSD replies with FORMERR.
775d83a80eeSchristos
776d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:}
777d83a80eeSchristos
778d83a80eeSchristosThe query is bad, formerr is needed. Fixed in BIND9.
779d83a80eeSchristos
780d83a80eeSchristos
781d83a80eeSchristos\subsection{b8-badedns0 - BIND 8 ignores bad EDNS0 queries}
782d83a80eeSchristos\label{b8-badedns0}
783d83a80eeSchristos
784d83a80eeSchristosBIND 8 ignores queries with bad EDNS0 section. It answers the query.
785d83a80eeSchristosNSD replies with FORMERR.
786d83a80eeSchristos
787d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:}
788d83a80eeSchristos
789d83a80eeSchristosBIND8 is more liberal in accepting broken EDNS0 records. NSD is not.
790d83a80eeSchristosChanged in BIND 9.
791d83a80eeSchristos
792d83a80eeSchristos
793d83a80eeSchristos\subsection{b8-auth-any - BIND 8 includes an authority section on queries for ANY .}
794d83a80eeSchristos\label{b8-auth-any}
795d83a80eeSchristos
796d83a80eeSchristosBIND8 includes an authority section on queries for class ANY .
797d83a80eeSchristosBIND9 and NSD return an empty authority section.
798d83a80eeSchristos
799d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:}
800d83a80eeSchristos
801d83a80eeSchristosFixed in BIND9.
802d83a80eeSchristos
803d83a80eeSchristos
804d83a80eeSchristos\subsection{b8-ignore-tc-query - BIND 8 ignores the TC bit in queries}
805d83a80eeSchristos\label{b8-ignore-tc-query}
806d83a80eeSchristos
807d83a80eeSchristosBIND responds to queries that have the TC bit set. NSD gives FORMERR.
808d83a80eeSchristos
809d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:}
810d83a80eeSchristos
811d83a80eeSchristosThis is like the n-tcinquery (\ref{n-tcinquery}), except where BIND9 returns NXDOMAIN,
812d83a80eeSchristosBIND8 returns the query with qr bit set. This is fixed in BIND9.
813d83a80eeSchristosNSD is less liberal in accepting queries, it returns form error on queries with
814d83a80eeSchristosthe TC bit set.
815d83a80eeSchristos
816d83a80eeSchristos\bibliographystyle{nlnetlabs}
817d83a80eeSchristos\bibliography{allbib}
818d83a80eeSchristos
819d83a80eeSchristos\end{document}
820