2

Does the IP address of authoritative name server from Glue record get cached by the Recursive resolver?
The name server for a top level domain includes glue along with the delegation for a domain name.
Now, does the Recursive resolver cache this 'A'/'AAAA' record (glue record)? I know that caching applies only if the response came from an 'Authoritative' Name server but here the TLD Name server further delegates and cannot be considered Authoritative.
Or
Does the Authoritative Name server also provides its own IP address as an A record (along with the domain's A record) and this is what gets cached by Recursive resolver?

Abhishek Palakkal Kaliyath
  • 197
  • 5

1 Answers1

3

Normally, the glue records aren't given as authoritative answers, which you may notice, if you look at the flags (the existence or absence of aa Authoritative Answer; RFC 1035, 4.1.1) e.g. of the following queries:

  • Authoritative on the parent:

     dig com NS @f.gtld-servers.net
 ;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27

  • Deletation of control. Both gives glue records in the additional section.

     dig google.com NS @f.gtld-servers.net
 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 9

 dig ns1.google.com A @f.gtld-servers.net
 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 9

  • Authoritative answers from an authoritative server:

     dig google.com NS @ns1.google.com
 ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 9

 dig ns1.google.com A @ns1.google.com
 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

The basic algorithm from RFC 1034, 5.3.3 caches most of the response data; only failures and other bizarre contents (d) are ignored (emphasis is mine):

  • a. if the response answers the question or contains a name error, cache the data as well as returning it back to the client.

  • b. if the response contains a better delegation to other servers, cache the delegation information, and go to step 2.

  • c. if the response shows a CNAME and that is not the answer itself, cache the CNAME, change the SNAME to the canonical name in the CNAME RR and go to step 1.

  • d. if the response shows a servers failure or other bizarre contents, delete the server from the SLIST and go back to step 3.

The RFC also mentions some implementation could have an option to force the resolver to ignore the cached data and consult with an authoritative server. What really happens depends on the implementation. According to How DNS Kills the Internet from Kudelski Security Research:

Beside bugs that can result in non-intentional false responses, cache poisoning (see Dan Kaminsky’s 2008 DNS vulnerability and The Hitchhiker’s Guide to DNS Cache Poisoning) has to be taken into consideration. Many DNS cache implementations cache the glue records as normal records, thus a DNS server may provide a malicious response and in consequence having a wrong entry in the cache.

For example:

evil.com.       IN NS ns.company.com.
ns.company.com. IN A 6.6.6.6

While the legitimate server says

company.com.    IN NS ns.company.com.
ns.company.com. IN A 1.2.3.4

So the wrong IP address will end up in the cache for the lifetime of the record. To avoid this problem most of the caching resolver implementation do not trust and ignore the optional glue records for out-of-bailiwick NS records, and thus ignore the ns.company.com. IN A 6.6.6.6 in the example above. A note for DNS administrator: it is good practice to have only in-bailiwick records.

Whether an answer is authoritative or not isn't per se an indicator on whether the records should be cached or not:

  • The upper level name servers are part of the same authoritative name server structure. Therefore, as they do delegate control of their subdomains i.e. ultimately can control who can answer authoritatively, they should be trusted and are trustworthy. Normally, the glue records should match the records on the zone itself, and everything else would be a configuration error per IANA Technical requirements for authoritative name servers:

Consistency between glue and authoritative data

For name servers that have IP addresses listed as glue, the IP addresses must match the authoritative A and AAAA records for that host.

Consistency between delegation and zone

The set of NS records served by the authoritative name servers must match those proposed for the delegation in the parent zone.

  • Not every recursive server starts resolving the name from the root name servers, but there are more complex recursive infrastructures, too. A resolver can have forwarders, other recursive name servers they ask instead of the authoritative name servers. These responses are never authoritative, but are always cached.

  • In DNS cache poisoning scenarios the perpetrator isn't any of the authoritative name servers, but an answer spoofed to be from a trusted source, whether it's an authoritative name server or a forwarder. Because DNS utilizes UDP, spoofing the responses is easier. There are some solutions against that:

    • Maximum UDP response size. If the response is bigger than that i.e. greater than a single UDP packet, DNS uses TCP. Having an additional section, a response containing glue records easily goes over that boundary. TCP connections aren't that easy to spoof, as it would require a MitM position.

    • DNSSEC validation. A spoofed response can't have matching DNSSEC signatures for their records, so they won't get cached.

    • Encrypted DNS. There are two standards: DNS over TLS (RFC 7858) and DNS over HTTPS (RFC 8484).

Community
  • 1
Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • Thank you @Esa Jokinen, so ideally Authoritative answers should only be cached. QQ - Authoritative answer also include an NS record along with A record. Now, when the A record expires after its TTL, the resolver cache has only NS record (because of its longer TTL). Now, if a user tries to reach a domain name, does the resolver starts looking from NS record ? i.e. again getting the glue record and finally reaching the Name Server for domain, caching the Authoritative answer. – Abhishek Palakkal Kaliyath May 31 '20 at 03:54
  • I think you concentrate too much on the `aa` bit. I've added an explanation on why it's not generally a problem to cache non-authoritative answers. I think this better answers your concerns behind this question. – Esa Jokinen May 31 '20 at 06:08
  • Adding to my above comment, does the IP address of the Authoritative Name server of a domain ever get cached? Or is it always only the resolved domain's A and NS record that get cached? – Abhishek Palakkal Kaliyath May 31 '20 at 06:12
  • They are just normal `A` and `AAAA` records and gets cached like everything else. – Esa Jokinen May 31 '20 at 06:14
  • Got it - so, caching is independent of aa bit ! Thanks. – Abhishek Palakkal Kaliyath May 31 '20 at 06:15
  • The reason I concentrated on aa bit was because I started my questions based on "why NS records are duplicated in the Authoritative Name server?" - After seeing responses from other users, it led me to think only aa responses are cached. But then if other than aa information is cached as well, why duplicate NS records in Authoritative Name server.. – Abhishek Palakkal Kaliyath May 31 '20 at 06:19
  • That comes from the consistency requirements cited in my answer. It wouldn't make sense if they returned NXDOMAIN on the authoritative zone where they should be, and they are required to be on the parent in order to be found in the first place. – Esa Jokinen May 31 '20 at 06:26
  • Thanks - things getting clearer :-) On "consistency requirements", - so, who/where does the matching happen - at resolver? Also, for "Consistency between glue and authoritative data", to perform the matching, does the resolver check the hosted zone for the Name Server as well (which could be hosted within itself)? I thought the IP address from glue was used to check the hosted zone of requested domain name only (but not for itself).. – Abhishek Palakkal Kaliyath May 31 '20 at 06:59
  • That's not explicitly checked / matched / enforced by the resolvers, but is more of a regulation & standard. – Esa Jokinen May 31 '20 at 07:04
  • I think I am utterly confused now :-) 24 hours and no luck - There is answer in here - https://serverfault.com/q/526278/577132 on duplicating NS records in the Zone files but is very verbose and just never gets to the point. Can you simplify it - your response states that this is a standard for consistency requirements whereas the other response talks about caching reasons indicating that only Authoritative responses are cached. At least can you point me to a good material? None seem to exist that explains this clearly. – Abhishek Palakkal Kaliyath May 31 '20 at 18:21
  • I've added [RFC 1034, 5.3.3](https://tools.ietf.org/html/rfc1034#section-5.3.3) as a reference. The basic algorithm from the standard simply caches almost everything, although some implementation may continue without caching until they finally got an authoritative answer. Also, not answering authoritatively in the end is considered an error, *lame delegation*, but it doesn't really affect caching, either. – Esa Jokinen May 31 '20 at 19:51
  • Ah ! this looks great, I will dig :-) deeper here. – Abhishek Palakkal Kaliyath May 31 '20 at 19:57
  • "Normally, the glue records aren't given as authoritative answers," By definition glue recdords are never authoritative because they come from "outside" of the zone. – Patrick Mevzek Jun 01 '20 at 00:25
  • "Also, not answering authoritatively in the end is considered an error, lame delegation, but it doesn't really affect caching, either." Yes and no. If the resolver is child-centric (which is kind of what the specifications hint at but debate on this is still ongoing) then only what is in the child zone counts (and should be cached) irrespective to how you happen to arrive there (based on the lame delegations). Note that the latest draft on stuff like this mention that things are fine if the child NS RRset is a **superset** of the one in parent. – Patrick Mevzek Jun 01 '20 at 00:29