Response Differences Between
Bind 8.3.1-REL and nsd 1.0.1

Daniel Karrenberg
<daniel.karrenberg@ripe.net>


Abstract

This note describes observed differences 
in responses between the DNS server implementations.



0. Introduction

The observed differences are described.
The names of the differences refer to the statistics
in Appendix A, which describe observations of
the differences in responses to real queries
to a root name server and a TLD name server.


1. Authoritative Only Differences

The most frequently ocurring  differences are due to 
the fact that nsd is a true 'authoritative only' server.
As such it does not return as much non-authoritative data
as bind8 doest. We do not expec these differences to cause
problems in resolvers.


1.1 d-bcacheglu - Out-of-Zone Glue

Bind8 answers queries for out-of-zone (glue) A RRs 
non-authoritatively; nsd does not and provides a referral.

Analysis:
Authoritative only service should not provide 
non authoritative data.

Example:
bind8: 115 21412 -   1/2/2 
A? NS1.FASTSERVER.NL.;
ns1.fastserver.nl. a 80.84.226.95;
fastserver.nl. ns ns1.fastserver.nl.
fastserver.nl. ns ns2.fastserver.nl.;
ns1.fastserver.nl. a 80.84.226.95
ns2.fastserver.nl. a 80.84.226.98;
nsd:  99 21412 -   0/2/2 
A? NS1.FASTSERVER.NL.;
fastserver.nl. ns ns1.fastserver.nl.
fastserver.nl. ns ns2.fastserver.nl.;
ns1.fastserver.nl. a 80.84.226.95
ns2.fastserver.nl. a 80.84.226.98;


1.2 d-nnocachns - Non Authoritative Answers 

Bind8 answers queries with non-authoritative data;
nsd does not and provides a referral.
This also happens on type=ANY queries.
In essence it is the same difference as 
d-bcacheglue, just differentiated
from glue information for analysis purposes. 

Analysis:
Authoritative only service should not provide 
non authoritative data.

Example:
139 25304 -   3/0/3 
NS? flightcam.de.;
flightcam.de. ns ns.kdt.de.
flightcam.de. ns ns2.kdt.de.
flightcam.de. ns ns.wtal.de.;
ns.kdt.de. a 195.8.224.1
ns2.kdt.de. a 195.8.224.2
ns.wtal.de. a 212.17.226.130;
139 25304 -   0/3/3 
NS? flightcam.de.;
flightcam.de. ns ns.kdt.de.
flightcam.de. ns ns2.kdt.de.
flightcam.de. ns ns.wtal.de.;
ns.kdt.de. a 195.8.224.1
ns2.kdt.de. a 195.8.224.2
ns.wtal.de. a 212.17.226.130;



2. Bind Bugs

Some differences are due to bind bugs 
and/or bind answers not conforminc to the standard.


2.1 b-multrrset - Multiple RRSets in Response

nsd does not send an RRset more than once in a response
as per RFC2181 section 5.5. 

Bind8 is observed to send the same RRset in both the 
answer and Additional sections.
This is not conforming to the standard.

Anaysis:
NSD answers correctly as per the RFCs. 
Some incorrect and particularly naive resolver
implementations could be affected.
No such implementation is known.

Example: 
bind8: 24531*- q: A? A.ROOT-SERVERS.NET. 1/4/4 
A.ROOT-SERVERS.NET. A 198.41.0.4 
ns: ROOT-SERVERS.NET. NS A.ROOT-SERVERS.NET., 
ROOT-SERVERS.NET. NS f.ROOT-SERVERS.NET., 
ROOT-SERVERS.NET. NS j.ROOT-SERVERS.NET., 
ROOT-SERVERS.NET. NS k.ROOT-SERVERS.NET. 
ar: A.ROOT-SERVERS.NET. A 198.41.0.4, 
f.ROOT-SERVERS.NET. A 192.5.5.241, 
j.ROOT-SERVERS.NET. A 198.41.0.10, 
k.ROOT-SERVERS.NET. A 193.0.14.129 (178) 

nsd:   24531*- q: A? A.ROOT-SERVERS.NET. 1/4/3 
A.ROOT-SERVERS.NET. A 198.41.0.4 
ns: ROOT-SERVERS.NET. NS A.ROOT-SERVERS.NET., 
ROOT-SERVERS.NET. NS F.ROOT-SERVERS.NET., 
ROOT-SERVERS.NET. NS J.ROOT-SERVERS.NET., 
ROOT-SERVERS.NET. NS K.ROOT-SERVERS.NET. 
ar: F.ROOT-SERVERS.NET. A 192.5.5.241, 
J.ROOT-SERVERS.NET. A 198.41.0.10, 
K.ROOT-SERVERS.NET. A 193.0.14.129 (162) 


2.2 b-rootdot - bind doe not return NXDOMAIN on 'root.'

bind does not answer NXDOMAIN on queries for 'root.' while
this domain does not exist in class IN.

Analysis:
bind has a pseudo domain root. somewhere.
nsd does not.


2.3 b-nonxdom - bind misses NXDomain when no zone cut

bind8 refers to itself if it is asked for an authoritative
answer in cases where there is no zone cut but other data.

Analysis:
A bind bug.

Example:
zone file:
www.pool-effekt 86400 IN A              194.246.96.72
bind8: 82   889 *-  0/1/0 
A? pool-effekt.de.;
de. soa dns.denic.de. ops.denic.de. 2002031701 10800 7200 3600000 3600;
nsd:   82   889 *-  0/1/0 NXDomain
A? pool-effekt.de.;
de. soa dns.denic.de. ops.denic.de. 2002031701 10800 7200 3600000 3600;


2.4 n-clrcdbit - nsd clears CD bit in response

nsd clears the CD header-bit in responses, 
bind copies it from the query.
Security unaware servers should clear this bit 
as per RFC1035 4.1.1.

Analysis:
A bind bug.


3. Functionality Differences

The next group of differences are due to the fact that
nsd does not implement some functionality that is requested.
This is a design choice and should not cause resolver
problems at all.


3.1 d-nnotimpny - nsd returns Refused on notify requests

nsd returns REFUSED to notify operations and does not return
the original query.

Example:
bind8:  29     0 -   0/0/0 notify ServFail
SOA? smgcinc.com.;
nsd:    12     0 *-  0/0/0 notify Refused

Analysis:
This is a permanent error.
Interpretation of the protocol standard differs. 


3.2 d-nrefclass - nsd returns Refused on unknown class/type

nsd returns the errorode REFUSED to queries with an unknown
class or RR type. bind returns SERVFAIL.

Analysis:
This is a permanent error.
Interpretation of the protocol
standard differs. 

Example:
bind8: 32  1388 -   0/0/0 ServFail
Type0 (Class 256)? 10.225.125.182.;
nsd:   32  1388 -   0/0/0 Refused
Type0 (Class 256)? 10.225.125.182.;


3.3 d-nonrefut - nsd returns no data on refused upddate

nsd does not return the original message data on refused updates.

Analysis:
Interpretation of the RFCs differs. 
Original data is not necessary,
dropping it increases DoS resilience.

Example:

bind8: 63  7610 -   1/1/0 update Refused
SOA? .;
doydoy.res.hmc.edu. (class 254) a 192.17.0.1;
doydoy.res.hmc.edu. a 134.173.62.172;

nsd:   12  7610 -   0/0/0 update Refused;


3.4 d-bindchaos - nsd does not implement the bind. TLD in class CHAOS

nsd does not implement the pseudo TLD 'bind' in class CHAOS to make
server characteristics availeble via the query interface. nsd does
implement the (proposed) 'server' pseudo TLS in class CHAOS instead.


4. Design Dependent Differences

This group of differences contains minor variations
of responses due to different design choices. 
At present this only appears in the different
name way name encoding (compression) is done.


4.1 Different Name Encoding

Since NSD pre-computes its answers for
efficiency, in a very few cases its name
encoding differs from that generated by bind8.
These cases occur when the parts of the 
answer can be encoded using parts of the
question. 

The different encoding can affect the 
answer in three different, 
increasingly severe ways.

- same response (d-nameencod)
  The content of the response is exactly the same,
  just encoded differently. The only effect of 
  this is a slightly increased length of the 
  response. In our observations the total 
  output bandwidth increase caused by this 
  is negligible. It is shown as "Added Bytes:"
  in the comparisons.

- same answer (d-nameenctr)
  The answer is the same; the additional
  section is shortened by one or more
  RRsets. This may cause some loss of 
  optimisation in resolvers that may need
  additional queries to obtain some of
  the omitted information.
  Note again that the answer is fully transmitted
  and thus the 'truncated answer' bit is not set.
  The total number of omitted RRs is noted in the
  comparisons. We have only obseved this when responding to
  queries for unusually long names.
  The maximum omission observed was 1 RR.

- truncated answer
  This is when the answer would be truncaed 
  and the 'truncated answer' bit set.
  We have not observed this at all.

Analysis: 
This is an expected differences caused by design choices.



Appendix A

Comparison of responses to root NS queries: 

--------------------------------------------------------------------------
                                            Total Answers: 899720
--------------------------------------------------------------------------

                                               d-bcacheglu  46960 /  5.22%
                                               d-nameencod   3764 /  0.42%
                                               d-nclrcdbit   1616 /  0.18%
                                   d-bcacheglu b-multrrset    626 /  0.07%
                                               d-nameenctr    340 /  0.04%
                                               d-nrefclass    252 /  0.03%
                                                d-updrefut     55 /  0.01%
                                               d-nnocachns     17 /  0.00%
                                               d-nnotimpny      4 /  0.00%
                                       b-rootdot b-nonxdom      3 /  0.00%
                                               d-bindchaos      2 /  0.00%
--------------------------------------------------------------------------
                                 Total Different Responses  53639 /  5.96%
==========================================================================

b-multrrset -   bind puts same RRSet in multiple sections:    626 /  1.15%
b-nonxdom   -       bind misses NXDomain when no zone cut:      3 /  0.01%
b-rootdot   -              bind answers queries for ROOT.:      3 /  0.01%
d-bcacheglu -              bind answers with chached glue:  47586 / 87.69%
d-bindchaos -               bind answers to CHAOS *.bind.:      2 /  0.00%
d-nameencod -                     different name encoding:   3764 /  6.94%
                                  Additional bytes:  13654
d-nameenctr -       different name enc. causes truncation:    340 /  0.63%
                                     Truncated RRs:    340
d-nclrcdbit -               nsd clears CD bit in response:   1616 /  2.98%
d-nnocachns -     ns returns no non-authoritative answers:     17 /  0.03%
d-nnotimpny -       nsd returns NotImp on notify requests:      4 /  0.01%
d-nrefclass -   nsd returns Refused on unknown class/type:    252 /  0.46%
d-nupdrefut -      nsd returns no data on refused upddate:     55 /  0.10%
--------------------------------------------------------------------------
                                         Total Differences  54268 /100.00%
==========================================================================



Appendix B

Comparison of responses to NL TLD queries:

--------------------------------------------------------------------------
                                            Total Answers: 881774
--------------------------------------------------------------------------

                                   d-bcacheglu b-multrrset 104769 / 11.88%
                                   b-multrrset d-nnocachns  45906 /  5.21%
                                               d-nnotimpny  44852 /  5.09%
                                                d-updrefut  36149 /  4.10%
                                               d-nnocachns  13055 /  1.48%
                                               d-nclrcdbit   8177 /  0.93%
                                               d-nameencod    888 /  0.10%
                                    parseerror d-nnocachns      5 /  0.00%
                                     parseerror d-updrefut      1 /  0.00%
                                                parseerror      1 /  0.00%
--------------------------------------------------------------------------
                                 Total Different Responses 253803 / 28.78%
==========================================================================

b-multrrset -   bind puts same RRSet in multiple sections: 150675 / 37.25%
d-bcacheglu -              bind answers with chached glue: 104769 / 25.90%
d-nameencod -                     different name encoding:    888 /  0.22%
                                  Additional bytes:   3130
d-nclrcdbit -               nsd clears CD bit in response:   8177 /  2.02%
d-nnocachns -     ns returns no non-authoritative answers:  58966 / 14.58%
d-nnotimpny -       nsd returns NotImp on notify requests:  44852 / 11.09%
d-nupdrefut -      nsd returns no data on refused upddate:  36150 /  8.94%
parseerror  -    Could not parse tcpdump output correctly:      7 /  0.00%
--------------------------------------------------------------------------
                                         Total Differences 404484 /100.00%
==========================================================================

