DNS ADDITIONAL data is disappointingly poorly used
« previous entry | next entry »
26th Sep 2016 | 11:08
Recently there was a thread on bind-users about "minimal responses and speeding up queries. The discussion was not very well informed about the difference between the theory and practice of addidional data in DNS responses, so I wrote the following.
Background: DNS replies can contain "additional" data which (according to RFC 1034 "may be helpful in using the RRs in the other sections." Typically this means addresses of servers identified in NS, MX, or SRV records. In BIND you can turn off most additional data by setting the minimal-responses option.
Reindl Harald <h.reindl at thelounge.net> wrote:
additional responses are part of the inital question and
may save asking for that information - in case the additional
info is not needed by the client it saves traffic
Matus UHLAR - fantomas <uhlar at fantomas.sk>
If you turn mimimal-responses on, the required data may not be in the
answer. That will result into another query send, which means number of
There are a few situations in which additional data is useful in theory, but it's surprisingly poorly used in practice.
End-user clients are generally looking up address records, and the additional and authority records aren't of any use to them.
For MX and SRV records, additional data can reduce the need for extra A and AAAA records - but only if both A and AAAA are present in the response. If either RRset is missing the client still has to make another query to find out if it doesn't exist or wouldn't fit. Some code I am familiar with (Exim) ignores additional sections in MX responses and always does separate A and AAAA lookups, because it's simpler.
The other important case is for queries from recursive servers to authoritative servers, where you might hope that the recursive server would cache the additional data to avoid queries to the authoritative servers.
However, in practice BIND is not very good at this. For example, let's query for an MX record, then the address of one of the MX target hosts. We expect to get the address in the response to the first query, so the second query doesn't need another round trip to the authority.
Here's some log, heavily pruned for relevance.
2016-09-23.10:55:13.316 queries: info: view rec: query: isc.org IN MX +E(0)K (::1) 2016-09-23.10:55:13.318 resolver: debug 11: sending packet to 2001:500:60::30#53 ;; QUESTION SECTION: ;isc.org. IN MX 2016-09-23.10:55:13.330 resolver: debug 10: received packet from 2001:500:60::30#53 ;; ANSWER SECTION: ;isc.org. 7200 IN MX 10 mx.pao1.isc.org. ;isc.org. 7200 IN MX 20 mx.ams1.isc.org. ;; ADDITIONAL SECTION: ;mx.pao1.isc.org. 3600 IN A 18.104.22.168 ;mx.pao1.isc.org. 3600 IN AAAA 2001:4f8:0:2::2b 2016-09-23.10:56:13.150 queries: info: view rec: query: mx.pao1.isc.org IN A +E(0)K (::1) 2016-09-23.10:56:13.151 resolver: debug 11: sending packet to 2001:500:60::30#53 ;; QUESTION SECTION: ;mx.pao1.isc.org. IN A
Hmf, well that's disappointing.
Now, there's a rule in RFC 2181 about ranking the trustworthiness of data:
5.4.1. Ranking data
[ snip ]
Unauthenticated RRs received and cached from the least trustworthy of
those groupings, that is data from the additional data section, and
data from the authority section of a non-authoritative answer, should
not be cached in such a way that they would ever be returned as
answers to a received query. They may be returned as additional
information where appropriate. Ignoring this would allow the
trustworthiness of relatively untrustworthy data to be increased
without cause or excuse.
Since my recursive server is validating, and isc.org is signed, it should be able to authenticate the MX target address from the MX response, and promote its trustworthiness, instead of making another query. But BIND doesn't do that.
There are other situations where BIND fails to make good use of all the records in a response, e.g. when you get a referral for a signed zone, the response includes the DS records as well as the NS records. But BIND doesn't cache the DS records properly, so when it comes to validate the answer, it re-fetches them.
In a follow-up message, Mark Andrews says these problems are on his to-do list, so I'm looking forward to DNSSEC helping to make DNS faster :-)