1d83a80eeSchristos% DIFFERENCES NSD 3 and other name servers. 2d83a80eeSchristos\documentclass[twoside,titlepage,english]{nlnetlabs} 3d83a80eeSchristos\newcites{rfc}{RFC references} 4d83a80eeSchristos 5d83a80eeSchristos\def\nlnetlabsno{2006-004} 6d83a80eeSchristos 7*e2d5644aSchristos\rcsdetails{$Id: differences.tex,v 1.2 2022/09/24 17:38:17 christos Exp $} 8d83a80eeSchristos% Prints RCS details at the bottom of the page. 9d83a80eeSchristos 10d83a80eeSchristos\title{Response Differences between\\ NSD and other DNS Servers} 11d83a80eeSchristos\author{ 12d83a80eeSchristos %This escape is needed. Because of wrapping by hyperref 13d83a80eeSchristos \texorpdfstring{ 14d83a80eeSchristos Jelte Jansen\thanks{\href{mailto:jelte@nlnetlabs.nl}{jelte@nlnetlabs.nl}}, 15d83a80eeSchristos \textsl{NLnet Labs}\\ 16d83a80eeSchristos Wouter Wijngaards\thanks{\href{mailto:wouter@nlnetlabs.nl}{wouter@nlnetlabs.nl}}, 17d83a80eeSchristos \textsl{NLnet Labs} 18d83a80eeSchristos } 19d83a80eeSchristos {Jelte Jansen, Wouter C.A. Wijngaards} 20d83a80eeSchristos} 21d83a80eeSchristos\date{ 22d83a80eeSchristos \today 23d83a80eeSchristos} 24d83a80eeSchristos 25d83a80eeSchristos\begin{document} 26d83a80eeSchristos\flushbottom 27d83a80eeSchristos\maketitle{} 28d83a80eeSchristos 29d83a80eeSchristos\begin{abstract} 30d83a80eeSchristosThis note describes observed differences in responses between NSD and 31d83a80eeSchristosother DNS server implementations. NSD 3.0.0 is compared to NSD 2.3.6, 32d83a80eeSchristosBIND 8.4.7 and BIND 9.3.2. Differences in answers to captured queries from 33d83a80eeSchristosresolvers are tallied and analyzed. No interoperability problems are found. 34d83a80eeSchristos\end{abstract} 35d83a80eeSchristos 36d83a80eeSchristos 37d83a80eeSchristos\tableofcontents 38d83a80eeSchristos\newpage 39d83a80eeSchristos 40d83a80eeSchristos\section{Introduction} 41d83a80eeSchristos 42d83a80eeSchristosThe NSD name server is compared to other DNS server implementations 43d83a80eeSchristosin order to assess server interoperability. 44d83a80eeSchristosThe goal is to observe differences in the answers that the name servers 45d83a80eeSchristosprovide. These differences are categorized and counted. 46d83a80eeSchristos 47d83a80eeSchristosWe used BIND 8 and BIND 9 versions to compare against. Also regression 48d83a80eeSchristostests have been run on our testlab, comparing NSD 2 versus NSD 3. 49d83a80eeSchristos 50d83a80eeSchristosOur method uses a set of queries captured from production name servers. 51d83a80eeSchristosThese queries are sent over UDP to a name server set up to serve a 52d83a80eeSchristosparticular zone. Then the responses from the name server are recorded. 53d83a80eeSchristosFor every query, the different answers provided by the server 54d83a80eeSchristosimplementations are compared. 55d83a80eeSchristos 56d83a80eeSchristosUnparseable answers and no answers from the servers are handled 57d83a80eeSchristosidentically by the comparison software. This is not a problem because 58d83a80eeSchristosboth BIND and NSD are mature and stable DNS implementations, all answers 59d83a80eeSchristosthey send are parseable. Only in a very few cases, where the query is 60d83a80eeSchristosvery badly formed, no answers are sent back. 61d83a80eeSchristos 62d83a80eeSchristosThe differences are found by replaying captured DNS query traces from 63d83a80eeSchristosthe NL TLD and from the root zone against different name servers. The 64d83a80eeSchristosdifferences in the answers are then analyzed, by first performing a 65d83a80eeSchristosbyte-comparison on the packets. If the packets are binary different, 66d83a80eeSchristosthe contents are parsed, thus removing differences in domain name 67d83a80eeSchristoscompression, and normalized (sorted, lowercase) in presentation. If the 68d83a80eeSchristosresults do not match after normalization, then a list of difference 69d83a80eeSchristoscategories is consulted. The difference is classified as the first 70d83a80eeSchristoscategory that matches. If a difference in answers does not match any 71d83a80eeSchristoscategory, then the process stops and the user is notified. All the 72d83a80eeSchristosdifferences are categorized for the traces we present. 73d83a80eeSchristos 74d83a80eeSchristosIn addition, we gratefully made use of the PROTOS DNS tool developed 75d83a80eeSchristosat the University of Oulu which they made publicly available at 76d83a80eeSchristos\href{http://www.ee.oulu.fi/research/ouspg/protos/testing/c09/dns} 77d83a80eeSchristos{the protos webpage}\footnote{http://www.ee.oulu.fi/research/ouspg/protos/testing/c09/dns} 78d83a80eeSchristosand played the queries against the authoritative name servers. 79d83a80eeSchristosWe fixed a packet parsing error in NSD3-prerelease and both NSD3 and 80d83a80eeSchristosBIND 9.3.2 remained running and responsive. 81d83a80eeSchristos 82d83a80eeSchristosAdditionally we used the faulty DNS query traces in the wiki-ethereal 83d83a80eeSchristosrepository. These can be found in \href{http://wiki.ethereal.com/SampleCaptures} 84d83a80eeSchristos{the ethereal wiki}\footnote{http://wiki.ethereal.com/SampleCaptures}. 85d83a80eeSchristosThese traces posed no problem for BIND and NSD, mostly FORMERR answers. 86d83a80eeSchristos 87d83a80eeSchristosA previous document DIFFERENCES between BIND 8.4.4 and NSD 2.0.0 can be found 88d83a80eeSchristosin the NSD 2.x package. 89d83a80eeSchristos 90d83a80eeSchristosIn the places where differences have been found between BIND and NSD, 91d83a80eeSchristosin the authors' opinion, no interoperability problems result for resolvers. 92d83a80eeSchristos 93d83a80eeSchristos 94d83a80eeSchristos\section{Response differences between BIND 9.3.2 and NSD 3.0.0} 95d83a80eeSchristos 96d83a80eeSchristosIn this section the response differences between BIND 9.3.2 and NSD 3.0.0 97d83a80eeSchristosare presented and analyzed. We start in Section~\ref{root_b932nsd3} and 98d83a80eeSchristosSection~\ref{nl_b932nsd3} with presenting 99d83a80eeSchristosthe difference statistics for two test traces. Then in 100d83a80eeSchristosSection~\ref{sec:features} and Section~\ref{sec:funcdiff} 101d83a80eeSchristosthe difference categories are explained in more detail. 102d83a80eeSchristos 103d83a80eeSchristos 104d83a80eeSchristos\subsection{Comparison of responses to root queries} 105d83a80eeSchristos\label{root_b932nsd3} 106d83a80eeSchristos 107d83a80eeSchristosComparison between NSD 3.0.0 and BIND 9.3.2 for a root trace. 108d83a80eeSchristos 109d83a80eeSchristos\begin{tabular}{lrr} 110d83a80eeSchristos{\em difference} & {\em packets} & {\em \%diff} \\ 111d83a80eeSchristosd-additional (\ref{d-additional}) & 455607 & 59.19\% \\ 112d83a80eeSchristosn-clrdobit (\ref{n-clrdobit}) & 208389 & 27.07\% \\ 113d83a80eeSchristosb-soattl (\ref{b-soattl}) & 101707 & 13.21\% \\ 114d83a80eeSchristosn-update (\ref{n-update}) & 1858 & 0.24\% \\ 115d83a80eeSchristosd-hostname (\ref{d-hostname}) & 1032 & 0.13\% \\ 116d83a80eeSchristosd-formerrquery (\ref{d-formerrquery}) & 773 & 0.10\% \\ 117d83a80eeSchristosb-class0 (\ref{b-class0}) & 264 & 0.03\% \\ 118d83a80eeSchristosd-refusedquery (\ref{d-refusedquery}) & 79 & 0.01\% \\ 119d83a80eeSchristosd-notify (\ref{d-notify}) & 18 & 0.00\% \\ 120d83a80eeSchristosb-mailb (\ref{b-mailb}) & 7 & 0.00\% \\ 121d83a80eeSchristosn-tcinquery (\ref{n-tcinquery}) & 6 & 0.00\% \\ 122d83a80eeSchristosb-classany-nxdomain (\ref{b-classany-nxdomain}) & 5 & 0.00\% \\ 123d83a80eeSchristosd-badqueryflags (\ref{d-badqueryflags}) & 4 & 0.00\% \\ 124d83a80eeSchristosn-ixfr-notimpl (\ref{n-ixfr-notimpl}) & 3 & 0.00\% \\ 125d83a80eeSchristosd-version (\ref{d-version}) & 1 & 0.00\% \\ 126d83a80eeSchristosTotal number of differences: & 769753 & 100\% \\ 127d83a80eeSchristosNumber of packets the same after normalization:&1474863 \\ 128d83a80eeSchristosNumber of packets exactly the same on the wire:& 59161 \\ 129d83a80eeSchristosTotal number of packets inspected: &2244616 \\ 130d83a80eeSchristos\end{tabular} 131d83a80eeSchristos 132d83a80eeSchristosFor each type of difference the number of packets in the trace that 133d83a80eeSchristosmatch that difference are shown. The section where that difference 134d83a80eeSchristosis analyzed is shown in parenthesis after the difference name. 135d83a80eeSchristosThe percentage of differences 136d83a80eeSchristosexplained by the difference category is listed. Adding up the packets 137d83a80eeSchristosthat are different gives the total number of differences, or 100\% 138d83a80eeSchristosof the differences. 139d83a80eeSchristos 140d83a80eeSchristosThe number of packets after normalization includes the number of 141d83a80eeSchristospackets that are the same on the wire. 142d83a80eeSchristosThe total number of query packets is displayed at the bottom of the table. 143d83a80eeSchristos 144d83a80eeSchristos 145d83a80eeSchristos\subsection{Comparison of responses to NL TLD queries} 146d83a80eeSchristos\label{nl_b932nsd3} 147d83a80eeSchristos 148d83a80eeSchristosComparison between NSD 3.0.0 and BIND 9.3.2, for a trace for .nl. 149d83a80eeSchristos 150d83a80eeSchristos\begin{tabular}{lrr} 151d83a80eeSchristos{\em difference} & {\em packets} & {\em \%diff} \\ 152d83a80eeSchristosd-unknown-opcode (\ref{d-unknown-opcode}) & 2541 & 26.44\% \\ 153d83a80eeSchristosb-badquery-badanswer (\ref{b-badquery-badanswer}) & 1817 & 18.91\% \\ 154d83a80eeSchristosn-clrdobit (\ref{n-clrdobit}) & 1495 & 15.56\% \\ 155d83a80eeSchristosb-soattl (\ref{b-soattl}) & 1120 & 11.65\% \\ 156d83a80eeSchristosn-update (\ref{n-update}) & 990 & 10.30\% \\ 157d83a80eeSchristosd-badqueryflags (\ref{d-badqueryflags}) & 847 & 8.81\% \\ 158d83a80eeSchristosd-hostname (\ref{d-hostname}) & 531 & 5.52\% \\ 159d83a80eeSchristosd-notify (\ref{d-notify}) & 98 & 1.02\% \\ 160d83a80eeSchristosb-upwards-ref (\ref{b-upwards-ref}) & 78 & 0.81\% \\ 161d83a80eeSchristosn-clrcdbit (\ref{n-clrcdbit}) & 63 & 0.66\% \\ 162d83a80eeSchristosd-version (\ref{d-version}) & 22 & 0.23\% \\ 163d83a80eeSchristosb-noglue-nsquery (\ref{b-noglue-nsquery}) & 8 & 0.08\% \\ 164d83a80eeSchristosb8-badedns0 (\ref{b8-badedns0}) & 1 & 0.01\% \\ 165d83a80eeSchristosTotal number of differences: & 9611 & 100\% \\ 166d83a80eeSchristosNumber of packets the same after normalization: & 90389 \\ 167d83a80eeSchristosNumber of packets exactly the same on the wire: & 52336 \\ 168d83a80eeSchristosTotal number of packets inspected: & 100000 \\ 169d83a80eeSchristos\end{tabular} 170d83a80eeSchristos 171d83a80eeSchristos\subsection{Features} 172d83a80eeSchristos\label{sec:features} 173d83a80eeSchristos 174d83a80eeSchristosIn this section we enumerate a number of differences between 175d83a80eeSchristosBIND 9.3.2 and NSD 3.0.0 that cannot be immediately explained 176d83a80eeSchristosas design choices. These features could be seen as bugs in software 177d83a80eeSchristosor protocol specs, except that they do not lead to interoperability 178d83a80eeSchristosproblems. 179d83a80eeSchristos 180d83a80eeSchristos 181d83a80eeSchristos\subsubsection{n-clrdobit - NSD clears DO bit in response} 182d83a80eeSchristos\label{n-clrdobit} 183d83a80eeSchristos 184d83a80eeSchristosNSD clears the DO bit in answers to queries with the DO bit. BIND copies the 185d83a80eeSchristosDO bit to the answer. 186d83a80eeSchristos 187d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:} 188d83a80eeSchristos 189d83a80eeSchristosIn RFC4035\cite{rfc4035} the DO bit is not specified for answers. In the examples section 190d83a80eeSchristosof that RFC the DO bit is shown for signed dig responses, although this could 191d83a80eeSchristosrefer to the query or the answer. NSD clears the DO bit for all answers, a 192d83a80eeSchristosdecision based on speed: the EDNS record sent back by NSD is precompiled and 193d83a80eeSchristosnot modified during answer processing. 194d83a80eeSchristos 195d83a80eeSchristos 196d83a80eeSchristos\subsubsection{n-clrcdbit - NSD clears CD bit in response} 197d83a80eeSchristos\label{n-clrcdbit} 198d83a80eeSchristos 199d83a80eeSchristosNSD clears the CD bit in answers to queries with the CD bit. BIND copies the 200d83a80eeSchristosCD bit to the answer. 201d83a80eeSchristos 202d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:} 203d83a80eeSchristos 204d83a80eeSchristosRFC 4035\cite{rfc4035} asserts that the CD bit must be cleared for 205d83a80eeSchristosauthoritative answers. The CD bit should be copied into the answer 206d83a80eeSchristosby recursive servers. BIND copies the CD bit for some formerr queries. 207d83a80eeSchristos 208d83a80eeSchristos 209d83a80eeSchristos\subsubsection{b-class0 - CLASS0 formerr in BIND} 210d83a80eeSchristos\label{b-class0} 211d83a80eeSchristos 212d83a80eeSchristosFor CLASS0, you can get either FORMERR, from BIND or REFUSED, from NSD. 213d83a80eeSchristos 214d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:} 215d83a80eeSchristos 216d83a80eeSchristosDifference in interpretation of the RFCs, a CLASS value of 0 is interpreted 217d83a80eeSchristosas a syntax error by BIND but as another valid class (that is not served) 218d83a80eeSchristosby NSD. Resolvers are unaffected for CLASS IN. 219d83a80eeSchristos 220d83a80eeSchristos 221d83a80eeSchristos\subsubsection{n-tcinquery - TC bit in query is formerr for NSD} 222d83a80eeSchristos\label{n-tcinquery} 223d83a80eeSchristos 224d83a80eeSchristosNSD returns FORMERR if tc bit is set in query. 225d83a80eeSchristos 226d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:} 227d83a80eeSchristos 228d83a80eeSchristosQueries cannot be longer than 512 octets, since the DNS header is short 229d83a80eeSchristosand the query DNS name has a maximum length of 255 octets. Thus 230d83a80eeSchristosTC (TrunCation) cannot happen. Only one question per query packet is 231d83a80eeSchristosanswered by NSD, this is a design decision. 232d83a80eeSchristos 233d83a80eeSchristosSome update, ixfr request, notify, gss-tsig TKEY sequence queries could 234d83a80eeSchristostheoretically carry longer data in the query from the client. In practice 235d83a80eeSchristosthis does not happen, as 255 octet uncompressed names are not used. 236d83a80eeSchristosIf this were to happen, the client could attempt a TCP connection 237d83a80eeSchristosimmediately instead of setting a TC bit, or use EDNS0 to send longer packets. 238d83a80eeSchristos 239d83a80eeSchristosIn this NSD is more strict in validation than BIND. 240d83a80eeSchristos 241d83a80eeSchristos 242d83a80eeSchristos\subsubsection{b-soattl - BIND sets SOA TTL in authority section to 0 for SOA queries} 243d83a80eeSchristos\label{b-soattl} 244d83a80eeSchristos 245d83a80eeSchristosThis happens when asking for the SOA for a domain that is not served. 246d83a80eeSchristos 247d83a80eeSchristos\footnotesize 248d83a80eeSchristos\begin{verbatim} 249d83a80eeSchristosQuery: 250d83a80eeSchristos;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 251d83a80eeSchristos;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 252d83a80eeSchristos;; QUESTION SECTION: 253d83a80eeSchristos;; foo.bar. IN SOA 254d83a80eeSchristos\end{verbatim} 255d83a80eeSchristos\normalsize 256d83a80eeSchristos 257d83a80eeSchristos 258d83a80eeSchristosAnswer from BIND 9.3.2: 259d83a80eeSchristos 260d83a80eeSchristos\footnotesize 261d83a80eeSchristos\begin{verbatim} 262d83a80eeSchristos;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 6097 263d83a80eeSchristos;; flags: qr aa rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 264d83a80eeSchristos;; QUESTION SECTION: 265d83a80eeSchristos;; foo.bar. IN SOA 266d83a80eeSchristos 267d83a80eeSchristos;; ANSWER SECTION: 268d83a80eeSchristos 269d83a80eeSchristos;; AUTHORITY SECTION: 270d83a80eeSchristos. 0 IN SOA A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. ( 271d83a80eeSchristos 2006072801 1800 900 604800 86400) 272d83a80eeSchristos 273d83a80eeSchristos;; ADDITIONAL SECTION: 274d83a80eeSchristos 275d83a80eeSchristos;; Query time: 10 msec 276d83a80eeSchristos;; SERVER: 127.0.0.1 277d83a80eeSchristos;; WHEN: Wed Aug 23 13:52:36 2006 278d83a80eeSchristos;; MSG SIZE rcvd: 100 279d83a80eeSchristos\end{verbatim} 280d83a80eeSchristos\normalsize 281d83a80eeSchristos 282d83a80eeSchristosAnswer from NSD 3: 283d83a80eeSchristos 284d83a80eeSchristos\footnotesize 285d83a80eeSchristos\begin{verbatim} 286d83a80eeSchristos;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 26095 287d83a80eeSchristos;; flags: qr aa rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 288d83a80eeSchristos;; QUESTION SECTION: 289d83a80eeSchristos;; foo.bar. IN SOA 290d83a80eeSchristos 291d83a80eeSchristos;; ANSWER SECTION: 292d83a80eeSchristos 293d83a80eeSchristos;; AUTHORITY SECTION: 294d83a80eeSchristos. 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. ( 295d83a80eeSchristos 2006072801 1800 900 604800 86400) 296d83a80eeSchristos 297d83a80eeSchristos;; ADDITIONAL SECTION: 298d83a80eeSchristos 299d83a80eeSchristos;; Query time: 60 msec 300d83a80eeSchristos;; SERVER: 127.0.0.1 301d83a80eeSchristos;; WHEN: Wed Aug 23 13:53:30 2006 302d83a80eeSchristos;; MSG SIZE rcvd: 100 303d83a80eeSchristos\end{verbatim} 304d83a80eeSchristos\normalsize 305d83a80eeSchristos 306d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:} 307d83a80eeSchristos 308d83a80eeSchristosBIND conforms to internet-draft draft-andrews-dnsext-soa-discovery which 309d83a80eeSchristoshas at the moment of code development not (yet) been published as RFC. 310d83a80eeSchristosNSD conforms to the RFCs. 311d83a80eeSchristos 312d83a80eeSchristos 313d83a80eeSchristos\subsubsection{b-classany-nxdomain - BIND gives an auth answer for class ANY nxdomain} 314d83a80eeSchristos\label{b-classany-nxdomain} 315d83a80eeSchristos 316d83a80eeSchristosA difference in behaviour for CLASS=ANY queries. For existing domains both 317d83a80eeSchristosBIND and NSD reply with AA bit cleared. For not existing domains (nxdomain) 318d83a80eeSchristosNSD replies with AA bit cleared. BIND replies with AA bit on and includes a 319d83a80eeSchristosSOA (CLASS=IN) for the zone, as for an authoritative nxdomain. 320d83a80eeSchristos 321d83a80eeSchristosQuery: 322d83a80eeSchristos 323d83a80eeSchristos\footnotesize 324d83a80eeSchristos\begin{verbatim} 325d83a80eeSchristos;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 13328 326d83a80eeSchristos;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 327d83a80eeSchristos;; QUESTION SECTION: 328d83a80eeSchristos;; nslabs.ruO. ANY MX 329d83a80eeSchristos\end{verbatim} 330d83a80eeSchristos\normalsize 331d83a80eeSchristos 332d83a80eeSchristosAnswer from BIND 9.3.2: 333d83a80eeSchristos 334d83a80eeSchristos\footnotesize 335d83a80eeSchristos\begin{verbatim} 336d83a80eeSchristos;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 13328 337d83a80eeSchristos;; flags: qr aa ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 338d83a80eeSchristos;; QUESTION SECTION: 339d83a80eeSchristos;; nslabs.ruo. ANY MX 340d83a80eeSchristos 341d83a80eeSchristos;; ANSWER SECTION: 342d83a80eeSchristos 343d83a80eeSchristos;; AUTHORITY SECTION: 344d83a80eeSchristos. 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. ( 345d83a80eeSchristos 2006072801 1800 900 604800 86400) 346d83a80eeSchristos 347d83a80eeSchristos;; ADDITIONAL SECTION: 348d83a80eeSchristos 349d83a80eeSchristos;; Query time: 0 msec 350d83a80eeSchristos;; WHEN: Wed Aug 23 13:58:51 2006 351d83a80eeSchristos;; MSG SIZE rcvd: 103 352d83a80eeSchristos\end{verbatim} 353d83a80eeSchristos\normalsize 354d83a80eeSchristos 355d83a80eeSchristosAnswer from NSD 3: 356d83a80eeSchristos 357d83a80eeSchristos\footnotesize 358d83a80eeSchristos\begin{verbatim} 359d83a80eeSchristos;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 13328 360d83a80eeSchristos;; flags: qr ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 361d83a80eeSchristos;; QUESTION SECTION: 362d83a80eeSchristos;; nslabs.ruo. ANY MX 363d83a80eeSchristos 364d83a80eeSchristos;; ANSWER SECTION: 365d83a80eeSchristos 366d83a80eeSchristos;; AUTHORITY SECTION: 367d83a80eeSchristos 368d83a80eeSchristos;; ADDITIONAL SECTION: 369d83a80eeSchristos 370d83a80eeSchristos;; Query time: 0 msec 371d83a80eeSchristos;; WHEN: Wed Aug 23 13:58:51 2006 372d83a80eeSchristos;; MSG SIZE rcvd: 28 373d83a80eeSchristos\end{verbatim} 374d83a80eeSchristos\normalsize 375d83a80eeSchristos 376d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:} 377d83a80eeSchristos 378d83a80eeSchristosFeature of BIND where it answers authoritatively for CLASS ANY 379d83a80eeSchristosnxdomain queries. 380d83a80eeSchristos 381d83a80eeSchristos 382d83a80eeSchristos\subsubsection{b-badquery-badanswer - BIND replies with bad answer for 383d83a80eeSchristos some bad queries} 384d83a80eeSchristos\label{b-badquery-badanswer} 385d83a80eeSchristos 386d83a80eeSchristosBIND replies with an answer packet that cannot be parsed, or does 387d83a80eeSchristosnot answer at all. NSD always generates 388d83a80eeSchristosan answer, with the appropriate RCODE (mostly NOTIMPL and FORMERR, but 389d83a80eeSchristosalso NXDOMAIN to NOTIFY queries). All these queries are malformed in 390d83a80eeSchristossome way. 391d83a80eeSchristos 392d83a80eeSchristosA (very simple) example of a query without an answer 393d83a80eeSchristosis a query packet of 18 zero bytes. For some queries no answer 394d83a80eeSchristosonly happens when BIND is presented with a trace of queries, not for 395d83a80eeSchristosa single query. 396d83a80eeSchristos 397d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:} 398d83a80eeSchristos 399d83a80eeSchristosBIND includes (part of) the unparseable question into the answer, or 400d83a80eeSchristossome internal state of BIND is affected by earlier queries. 401d83a80eeSchristos 402d83a80eeSchristosNSD manages to answer the malformed query. Note that NSD does not answer 403d83a80eeSchristosqueries that are too short, or that have the QR bit set. NSD tries to be 404d83a80eeSchristosas liberal in what it accepts as possible. 405d83a80eeSchristos 406d83a80eeSchristos 407d83a80eeSchristos\subsection{Functionality Differences} 408d83a80eeSchristos\label{sec:funcdiff} 409d83a80eeSchristos 410d83a80eeSchristosThe next group of differences are due to the fact that NSD does not 411d83a80eeSchristosimplement some functionality that is requested by resolvers. This 412d83a80eeSchristosis a design choice and should not cause resolver problems at all, 413d83a80eeSchristossince responses to those requests are within protocol specs. 414d83a80eeSchristos 415d83a80eeSchristos 416d83a80eeSchristos\subsubsection{d-notify - different NOTIFY errors} 417d83a80eeSchristos\label{d-notify} 418d83a80eeSchristos 419d83a80eeSchristosBIND and NSD give different errors for notify queries. The servers are started 420d83a80eeSchristoswithout any configuration for access control on notify. For notify messages 421d83a80eeSchristosaimed at a zone that is served, BIND 9.3.2 returns a NOERROR answer, and 422d83a80eeSchristosNSD 3 returns NOTAUTH. For notify messages on a zone that is not served 423d83a80eeSchristos(in-addr.arpa.) BIND 9.3.2 returns NOTAUTH and NSD 3 returns NXDOMAIN. 424d83a80eeSchristos 425d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:} 426d83a80eeSchristos 427d83a80eeSchristosDefault configuration differs between the two packages. NSD is more strict. 428d83a80eeSchristosError codes are different, the tools that send notifies are not affected. 429d83a80eeSchristos 430d83a80eeSchristos 431d83a80eeSchristos\subsubsection{n-update - NSD does not implement dynamic update} 432d83a80eeSchristos\label{n-update} 433d83a80eeSchristos 434d83a80eeSchristosFor UPDATE, you can get either REFUSED/NXRRSET/other RCODE from BIND 9.3.2 or 435d83a80eeSchristosNOTIMPL from nsd3. 436d83a80eeSchristos 437d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:} 438d83a80eeSchristos 439d83a80eeSchristosNSD does not implement dynamic update. 440d83a80eeSchristos 441d83a80eeSchristos 442d83a80eeSchristos\subsubsection{b-mailb - BIND does not implement MAILB} 443d83a80eeSchristos\label{b-mailb} 444d83a80eeSchristos 445d83a80eeSchristosFor MAILB, you can get either NOTIMPL(BIND 9) or NOERROR/NXDOMAIN(NSD 3). 446d83a80eeSchristos 447d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:} 448d83a80eeSchristos 449d83a80eeSchristosBIND does not implement queries for the MAILB type. NSD treats it as 450d83a80eeSchristosone of the RRTYPEs. MAILB is obsoleted by RFCs, the MX type is 451d83a80eeSchristosused to transfer mail information now. 452d83a80eeSchristos 453d83a80eeSchristos 454d83a80eeSchristos\subsubsection{d-version - BIND returns servfail on version.server queries} 455d83a80eeSchristos\label{d-version} 456d83a80eeSchristos 457d83a80eeSchristosNSD returns version.server query, BIND returns servfail. 458d83a80eeSchristos 459d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:} 460d83a80eeSchristos 461d83a80eeSchristosBoth NSD and BIND return version.bind queries of the chaos class. 462d83a80eeSchristosThese queries differ in the version number they return, of course. 463d83a80eeSchristosBIND does not return version.server queries. This is a design decision 464d83a80eeSchristoson the part of NSD to return version.server queries with the same answer. 465d83a80eeSchristos 466d83a80eeSchristos 467d83a80eeSchristos\subsubsection{d-additional - Different additional section on truncated answers} 468d83a80eeSchristos\label{d-additional} 469d83a80eeSchristos 470d83a80eeSchristosNSD and BIND return different additional sections on truncated answers 471d83a80eeSchristosto queries from the root. These answers are 480+ bytes long. 472d83a80eeSchristos 473d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:} 474d83a80eeSchristos 475d83a80eeSchristosNot all the A and AAAA data fits into the additional section of the answer. 476d83a80eeSchristosBIND includes different names than NSD does, and BIND is observed to sometimes 477d83a80eeSchristosinclude one more AAAA record, less A records in the additional section. 478d83a80eeSchristosResolvers should be unaffected. 479d83a80eeSchristos 480d83a80eeSchristos 481d83a80eeSchristos\subsubsection{d-refusedquery - BIND includes query section in REFUSED answers} 482d83a80eeSchristos\label{d-refusedquery} 483d83a80eeSchristos 484d83a80eeSchristosBIND includes the query sent for REFUSED answers. NSD replies with only 485d83a80eeSchristosthe DNS header section. 486d83a80eeSchristos 487d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:} 488d83a80eeSchristos 489d83a80eeSchristosThe resolver must inspect the query ID. The error code provides sufficient 490d83a80eeSchristosinformation. Sending the header makes NSD replies smaller and thus more 491d83a80eeSchristosresilient to DoS attacks. 492d83a80eeSchristos 493d83a80eeSchristos 494d83a80eeSchristos\subsubsection{d-hostname - BIND adds a NS record for hostname.bind} 495d83a80eeSchristos\label{d-hostname} 496d83a80eeSchristos 497d83a80eeSchristosBIND includes an additional RR in the authority section of the reply: 498d83a80eeSchristos\footnotesize 499d83a80eeSchristos\begin{verbatim} 500d83a80eeSchristoshostname.bind. 0 CH NS hostname.bind. 501d83a80eeSchristos\end{verbatim} 502d83a80eeSchristos\normalsize 503d83a80eeSchristos 504d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:} 505d83a80eeSchristos 506d83a80eeSchristosThe RR seems useless. NSD does not include it. 507d83a80eeSchristos 508d83a80eeSchristos 509d83a80eeSchristos\subsubsection{n-ixfr-notimpl - NSD does not implement IXFR} 510d83a80eeSchristos\label{n-ixfr-notimpl} 511d83a80eeSchristos 512d83a80eeSchristosTo queries for IXFR BIND responds with a valid answer (the latest SOA) 513d83a80eeSchristosand NSD responds with NOTIMPL error. 514d83a80eeSchristos 515d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:} 516d83a80eeSchristos 517d83a80eeSchristosNSD 3.0.0 does not implement IXFR. It returns NOTIMPL by design. 518d83a80eeSchristos 519d83a80eeSchristos 520d83a80eeSchristos\subsubsection{d-formerrquery - BIND includes query section in FORMERR answers} 521d83a80eeSchristos\label{d-formerrquery} 522d83a80eeSchristos 523d83a80eeSchristosBIND includes the query sent for FORMERR answers. NSD replies with only 524d83a80eeSchristosthe DNS header section. For some queries, NSD includes an EDNS record in 525d83a80eeSchristosthe reply if there was a recognizable EDNS record in the query. 526d83a80eeSchristos 527d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:} 528d83a80eeSchristos 529d83a80eeSchristosThe resolver must inspect the query ID. The error code provides sufficient 530d83a80eeSchristosinformation. Sending the header makes NSD replies smaller and thus more 531d83a80eeSchristosresilient to DoS attacks. 532d83a80eeSchristos 533d83a80eeSchristos 534d83a80eeSchristos\subsubsection{d-badqueryflags - BIND includes query section in FORMERR answers} 535d83a80eeSchristos\label{d-badqueryflags} 536d83a80eeSchristos 537d83a80eeSchristosBIND includes the query section in reply to unparseable queries. NSD does not. 538d83a80eeSchristos 539d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:} 540d83a80eeSchristos 541d83a80eeSchristosSame as d-formerrquery (\ref{d-formerrquery}), but the implementation of the comparison 542d83a80eeSchristossoftware could not parse the query either, thus a separate label. 543d83a80eeSchristos 544d83a80eeSchristos 545d83a80eeSchristos\subsubsection{d-unknown-class - BIND includes query section in answers to unknown class} 546d83a80eeSchristos\label{d-unknown-class} 547d83a80eeSchristos 548d83a80eeSchristosFor queries with an unknown class in the query, BIND includes the query section 549d83a80eeSchristosin the answer. NSD does not. 550d83a80eeSchristos 551d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:} 552d83a80eeSchristos 553d83a80eeSchristosSame as d-formerrquery (\ref{d-formerrquery}), but for a different error. 554d83a80eeSchristos 555d83a80eeSchristos 556d83a80eeSchristos\subsubsection{d-unknown-opcode - NSD returns NOTIMPL for unknown opcode} 557d83a80eeSchristos\label{d-unknown-opcode} 558d83a80eeSchristos 559d83a80eeSchristosFor queries that are bad packets, with malformed RRs, with an unknown opcode, 560d83a80eeSchristosBIND returns a FORMERR, but NSD gives up after checking the opcode and 561d83a80eeSchristosreturns NOTIMPL. NSD copies the flags from the query, and turns on the 562d83a80eeSchristosQR (query response) bit, BIND zeroes some of the flags. 563d83a80eeSchristos 564d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:} 565d83a80eeSchristos 566d83a80eeSchristosNOTIMPL is appropriate since NSD does not implement whatever functionality 567d83a80eeSchristosis being looked for. 568d83a80eeSchristos 569d83a80eeSchristos 570d83a80eeSchristos\subsubsection{b-upwards-ref - BIND returns root delegation} 571d83a80eeSchristos\label{b-upwards-ref} 572d83a80eeSchristos 573d83a80eeSchristosFor queries to a domain that is not served, which can only have arrived at 574d83a80eeSchristosthis server due to a lame delegation, BIND returns a root delegation. NSD 575d83a80eeSchristosreturns SERVFAIL. 576d83a80eeSchristos 577d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:} 578d83a80eeSchristos 579d83a80eeSchristosBy design, NSD does not know the root-servers. NSD is unable to reply as 580d83a80eeSchristosthe zone is not configured, hence the SERVFAIL. This is also discussed in 581d83a80eeSchristosthe REQUIREMENTS document for NSD. 582d83a80eeSchristos 583d83a80eeSchristos 584d83a80eeSchristos\subsubsection{b-noglue-nsquery - BIND returns no glue for NS queries} 585d83a80eeSchristos\label{b-noglue-nsquery} 586d83a80eeSchristos 587d83a80eeSchristosFor queries for the NS records of the zone, BIND does not include glue 588d83a80eeSchristosfor the NS records. NSD includes glue for the NS servers that lie within 589d83a80eeSchristosthe zone. 590d83a80eeSchristos 591d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:} 592d83a80eeSchristos 593d83a80eeSchristosThe glue saves a followup query. 594d83a80eeSchristos 595d83a80eeSchristos 596d83a80eeSchristos\subsubsection{d-noquestion - different error on no question} 597d83a80eeSchristos\label{d-noquestion} 598d83a80eeSchristos 599d83a80eeSchristosFor queries without a question section the error code differs. 600d83a80eeSchristosNSD considers it a FORMERR. BIND returns REFUSED. 601d83a80eeSchristos 602d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:} 603d83a80eeSchristos 604d83a80eeSchristosError code not specified for this corner case. No problems for resolvers. 605d83a80eeSchristos 606d83a80eeSchristos 607d83a80eeSchristos\subsubsection{b-uchar - BIND returns FORMERR on strange characters} 608d83a80eeSchristos\label{b-uchar} 609d83a80eeSchristos 610d83a80eeSchristosBIND returns FORMERR on strange characters in the query, such as 611d83a80eeSchristos0x00, 0xff, 0xe4, 0x20, 0x40 and so on. 612d83a80eeSchristos 613d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:} 614d83a80eeSchristos 615d83a80eeSchristosNSD does not give a formerr on these queries, it processes them. 616d83a80eeSchristosNSD normalizes names to lower case. Otherwise leaves them untouched. 617d83a80eeSchristosBIND preserves case in answers. Choice made in REQUIREMENTS for NSD, 618d83a80eeSchristosalso see RFC1035\cite{rfc1035} 2.3.3. 619d83a80eeSchristos 620d83a80eeSchristos 621d83a80eeSchristos\section{Response differences between NSD 2.3.6 and NSD 3.0.0} 622d83a80eeSchristos 623d83a80eeSchristosThe differences between NSD 2.3.6 and NSD 3.0.0 are listed below. All are due 624d83a80eeSchristosto version number changes and new features in NSD 3. 625d83a80eeSchristos 626d83a80eeSchristos 627d83a80eeSchristos\subsection{Comparison of responses in root trace} 628d83a80eeSchristos 629d83a80eeSchristosDifferences between NSD 2.3.6 and NSD 3.0.0 for a root trace. 630d83a80eeSchristosNote that apart from the 26 packets that are different, all responses are 631d83a80eeSchristosbinary the same on the wire between the two versions of NSD. 632d83a80eeSchristos 633d83a80eeSchristos\begin{tabular}{lrr} 634d83a80eeSchristos{\em difference} & {\em packets} & {\em \%diff} \\ 635d83a80eeSchristosn-notify (\ref{n-notify}) & 19 & 73.08\% \\ 636d83a80eeSchristosn-ixfr (\ref{n-ixfr}) & 3 & 11.54\% \\ 637d83a80eeSchristosversion.bind (\ref{nsd-version}) & 3 & 11.54\% \\ 638d83a80eeSchristosversion.server (\ref{nsd-version}) & 1 & 3.85\% \\ 639d83a80eeSchristosTotal number of differences: & 26 & 100\% \\ 640d83a80eeSchristosNumber of packets the same after normalization:&2244590 \\ 641d83a80eeSchristosNumber of packets exactly the same on the wire:&2244590 \\ 642d83a80eeSchristosTotal number of packets inspected: &2244616 \\ 643d83a80eeSchristos\end{tabular} 644d83a80eeSchristos 645d83a80eeSchristos 646d83a80eeSchristos\subsection{Comparison of responses in NL TLD trace} 647d83a80eeSchristos 648d83a80eeSchristosDifferences between NSD 2.3.6 and NSD 3.0.0 for a nl. trace. 649d83a80eeSchristosNote that apart from the 311 packets that are different, all responses are 650d83a80eeSchristosbinary the same on the wire between the two versions of NSD. 651d83a80eeSchristos 652d83a80eeSchristos\begin{tabular}{lrr} 653d83a80eeSchristos{\em difference} & {\em packets} & {\em \%diff} \\ 654d83a80eeSchristosn-notify (\ref{n-notify}) & 289 & 92.93\% \\ 655d83a80eeSchristosversion.bind (\ref{nsd-version}) & 22 & 7.07\% \\ 656d83a80eeSchristosTotal number of differences: & 311 & 100\% \\ 657d83a80eeSchristosNumber of packets the same after normalization:& 99689 \\ 658d83a80eeSchristosNumber of packets exactly the same on the wire:& 99689 \\ 659d83a80eeSchristosTotal number of packets inspected: &100000 \\ 660d83a80eeSchristos\end{tabular} 661d83a80eeSchristos 662d83a80eeSchristos 663d83a80eeSchristos\subsection{Version number - version.bind and version.server} 664d83a80eeSchristos\label{nsd-version} 665d83a80eeSchristos 666d83a80eeSchristosTo queries for version.bind and version.server the different implementations 667d83a80eeSchristosreturn a different version number, as they should. 668d83a80eeSchristos 669d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:} 670d83a80eeSchristos 671d83a80eeSchristosExpected. Correct version numbers are returned. 672d83a80eeSchristos 673d83a80eeSchristos 674d83a80eeSchristos\subsection{n-notify - notify not implemented in NSD 2} 675d83a80eeSchristos\label{n-notify} 676d83a80eeSchristos 677d83a80eeSchristosNotifications are handled differently. NSD 2 returns NOTIMPL error code, 678d83a80eeSchristoswhile NSD 3 returns NOTAUTH or NXDOMAIN error codes. 679d83a80eeSchristos 680d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:} 681d83a80eeSchristos 682d83a80eeSchristosDefault config denies all notify queries for NSD 3. These answers are correct 683d83a80eeSchristosfor non-existing and not authorized domains. 684d83a80eeSchristos 685d83a80eeSchristos 686d83a80eeSchristos\subsection{n-ixfr - IXFR error FORMERR in NSD 2} 687d83a80eeSchristos\label{n-ixfr} 688d83a80eeSchristos 689d83a80eeSchristosTo IXFR query questions different error codes are given. The NSD 2 690d83a80eeSchristosgives FORMERR (due to the RR in the authority section). NSD 3 returns 691d83a80eeSchristosNOTIMPL. 692d83a80eeSchristos 693d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:} 694d83a80eeSchristos 695d83a80eeSchristosNeither version of NSD implements IXFR. It is more appropriate to 696d83a80eeSchristosreturn the NOTIMPL error code in that case. Bugfix in NSD. 697d83a80eeSchristos 698d83a80eeSchristos 699d83a80eeSchristos\section{Response differences between BIND 8 and NSD 3.0.0} 700d83a80eeSchristos 701d83a80eeSchristosIn this section the response differences between BIND 8.4.7 and NSD 3.0.0 702d83a80eeSchristosare categorized and analyzed. 703d83a80eeSchristos 704d83a80eeSchristos 705d83a80eeSchristos\subsection{Comparison of responses in root trace} 706d83a80eeSchristos 707d83a80eeSchristosThe differences between BIND 8.4.7 and NSD 3.0.0 when presented 708d83a80eeSchristoswith queries for the root zone are below. 709d83a80eeSchristos 710d83a80eeSchristos\begin{tabular}{lrr} 711d83a80eeSchristos{\em difference} & {\em packets} & {\em \%diff} \\ 712d83a80eeSchristosn-clrcdbit (\ref{n-clrcdbit}) & 516372 &84.39\% \\ 713d83a80eeSchristosd-hostname (\ref{d-hostname}) & 53431 &8.73\% \\ 714d83a80eeSchristosd-additional (\ref{d-additional}) & 32526 &5.32\% \\ 715d83a80eeSchristosb8-nodata-ttlminup (\ref{b8-nodata-ttlminup}) & 4611 &0.75\% \\ 716d83a80eeSchristosn-update (\ref{n-update}) & 1856 &0.30\% \\ 717d83a80eeSchristosd-version (\ref{d-version}) & 1033 &0.17\% \\ 718d83a80eeSchristosb8-auth-any (\ref{b8-auth-any}) & 519 &0.08\% \\ 719d83a80eeSchristosb8-badedns0 (\ref{b8-badedns0}) & 492 &0.08\% \\ 720d83a80eeSchristosd-unknown-class (\ref{d-unknown-class}) & 482 &0.08\% \\ 721d83a80eeSchristosb-badquery-badanswer (\ref{b-badquery-badanswer}) & 451 &0.07\% \\ 722d83a80eeSchristosb-class0 (\ref{b-class0}) & 97 &0.02\% \\ 723d83a80eeSchristosd-notify (\ref{d-notify}) & 18 &0.00\% \\ 724d83a80eeSchristosb8-ignore-tc-query (\ref{b8-ignore-tc-query}) & 6 &0.00\% \\ 725d83a80eeSchristosb8-badquery-ignored (\ref{b8-badquery-ignored}) & 4 &0.00\% \\ 726d83a80eeSchristosn-ixfr-notimpl (\ref{n-ixfr-notimpl}) & 3 &0.00\% \\ 727d83a80eeSchristosb-soattl (\ref{b-soattl}) & 1 &0.00\% \\ 728d83a80eeSchristosTotal number of differences: & 611902 &100\% \\ 729d83a80eeSchristosNumber of packets the same after normalization:&1632714 \\ 730d83a80eeSchristosNumber of packets exactly the same on the wire:& 2299 \\ 731d83a80eeSchristosTotal number of packets inspected: &2244616 \\ 732d83a80eeSchristos\end{tabular} 733d83a80eeSchristos 734d83a80eeSchristos 735d83a80eeSchristos\subsection{Comparison of responses in NL TLD trace} 736d83a80eeSchristos 737d83a80eeSchristosThe differences between BIND 8.4.7 and NSD 3.0.0 when presented 738d83a80eeSchristoswith queries for the .nl zone are below. 739d83a80eeSchristos 740d83a80eeSchristos\begin{tabular}{lrr} 741d83a80eeSchristos{\em difference} & {\em packets} & {\em \%diff} \\ 742d83a80eeSchristosn-clrcdbit (\ref{n-clrcdbit}) & 2857 &33.53\% \\ 743d83a80eeSchristosd-unknown-opcode (\ref{d-unknown-opcode}) & 2692 &31.59\% \\ 744d83a80eeSchristosn-update (\ref{n-update}) & 1283 &15.06\% \\ 745d83a80eeSchristosd-badqueryflags (\ref{d-badqueryflags}) & 841 &9.87\% \\ 746d83a80eeSchristosd-hostname (\ref{d-hostname}) & 531 &6.23\% \\ 747d83a80eeSchristosd-notify (\ref{d-notify}) & 293 &3.44\% \\ 748d83a80eeSchristosd-version (\ref{d-version}) & 22 &0.26\% \\ 749d83a80eeSchristosb-badquery-badanswer (\ref{b-badquery-badanswer}) & 1 &0.01\% \\ 750d83a80eeSchristosb8-badedns0 (\ref{b8-badedns0}) & 1 &0.01\% \\ 751d83a80eeSchristosTotal number of differences: &8521 &100\% \\ 752d83a80eeSchristosNumber of packets the same after normalization:&91479 \\ 753d83a80eeSchristosNumber of packets exactly the same on the wire:&90837 \\ 754d83a80eeSchristosTotal number of packets inspected:&100000 \\ 755d83a80eeSchristos\end{tabular} 756d83a80eeSchristos 757d83a80eeSchristos 758d83a80eeSchristos\subsection{b8-nodata-ttlminup - BIND 8 uses minimum TTL from SOA also if bigger} 759d83a80eeSchristos\label{b8-nodata-ttlminup} 760d83a80eeSchristos 761d83a80eeSchristosFor NXDOMAIN queries in root-servers.net BIND 8 uses the minimum TTL from 762d83a80eeSchristosthe SOA as the TTL of the included SOA RR. However, this minimum TTL is 763d83a80eeSchristoslarger than the original TTL of the SOA, both NSD 2.3.6, NSD 3 and BIND 9 764d83a80eeSchristosuse the smaller of those two values as the TTL of the included SOA. 765d83a80eeSchristos 766d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:} 767d83a80eeSchristos 768d83a80eeSchristosBug in BIND 8 solved in BIND 9. 769d83a80eeSchristos 770d83a80eeSchristos 771d83a80eeSchristos\subsection{b8-badquery-ignored - BIND 8 replies normally for some bad queries} 772d83a80eeSchristos\label{b8-badquery-ignored} 773d83a80eeSchristos 774d83a80eeSchristosBIND8 manages to reply for malformed queries. NSD replies with FORMERR. 775d83a80eeSchristos 776d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:} 777d83a80eeSchristos 778d83a80eeSchristosThe query is bad, formerr is needed. Fixed in BIND9. 779d83a80eeSchristos 780d83a80eeSchristos 781d83a80eeSchristos\subsection{b8-badedns0 - BIND 8 ignores bad EDNS0 queries} 782d83a80eeSchristos\label{b8-badedns0} 783d83a80eeSchristos 784d83a80eeSchristosBIND 8 ignores queries with bad EDNS0 section. It answers the query. 785d83a80eeSchristosNSD replies with FORMERR. 786d83a80eeSchristos 787d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:} 788d83a80eeSchristos 789d83a80eeSchristosBIND8 is more liberal in accepting broken EDNS0 records. NSD is not. 790d83a80eeSchristosChanged in BIND 9. 791d83a80eeSchristos 792d83a80eeSchristos 793d83a80eeSchristos\subsection{b8-auth-any - BIND 8 includes an authority section on queries for ANY .} 794d83a80eeSchristos\label{b8-auth-any} 795d83a80eeSchristos 796d83a80eeSchristosBIND8 includes an authority section on queries for class ANY . 797d83a80eeSchristosBIND9 and NSD return an empty authority section. 798d83a80eeSchristos 799d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:} 800d83a80eeSchristos 801d83a80eeSchristosFixed in BIND9. 802d83a80eeSchristos 803d83a80eeSchristos 804d83a80eeSchristos\subsection{b8-ignore-tc-query - BIND 8 ignores the TC bit in queries} 805d83a80eeSchristos\label{b8-ignore-tc-query} 806d83a80eeSchristos 807d83a80eeSchristosBIND responds to queries that have the TC bit set. NSD gives FORMERR. 808d83a80eeSchristos 809d83a80eeSchristos\vspace{-8pt}\subparagraph{Analysis:} 810d83a80eeSchristos 811d83a80eeSchristosThis is like the n-tcinquery (\ref{n-tcinquery}), except where BIND9 returns NXDOMAIN, 812d83a80eeSchristosBIND8 returns the query with qr bit set. This is fixed in BIND9. 813d83a80eeSchristosNSD is less liberal in accepting queries, it returns form error on queries with 814d83a80eeSchristosthe TC bit set. 815d83a80eeSchristos 816d83a80eeSchristos\bibliographystyle{nlnetlabs} 817d83a80eeSchristos\bibliography{allbib} 818d83a80eeSchristos 819d83a80eeSchristos\end{document} 820