Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!usc!julius.cs.uiuc.edu!rpi!uupsi!sunic!ugle.unit.no!spurv.runit.sintef.no!he From: he@spurv.runit.sintef.no (Havard Eidnes) Newsgroups: comp.protocols.tcp-ip.domains Subject: Removing unneeded glue records Message-ID: <1991Feb3.225247.14168@ugle.unit.no> Date: 3 Feb 91 22:52:47 GMT Sender: news@ugle.unit.no Reply-To: he@idt.unit.no (Havard Eidnes) Organization: Computing center at the University of Trondheim, Norway Lines: 65 We have had some problems with "undesired information leakage" in BIND.4.8.3. Let me illustrate with the following situation: Two name servers: A and B, registered in unrelated domains Two domains: dom.A and dom.B dom.A authoritative copy on A, secondary on B dom.B authoritative copy on B, secondary on A You decide to change the IP address of name server A. You will probably have a hard time stomping out the RR for the old A information. The reason is that during a zone transfer, BIND insists on sending glue records (containing A information) even though the glue record is for a name outside of the domain the zone contains. It may fetch this old A record from anywhere, including from cached-up information (making the need for a secondary-NS-loop like the above unneccessary for this misfeature to bite). In order to get rid of this stale record in the domain name servers you will have to simultaneously do this on both name servers: stop name server remove secondary zone data (to force a reload) start name server For various reasons this may be hard to do. Instead, I have developed a fix to BIND version 4.8.3 so that BIND will only supply glue records that are truly needed (eg. the NS in question is located in a subdomain of the "current" domain name) when doing a zone transfer. The fix follows below, possibly with tabs converted to spaces. I have not checked with the RFCs whether this is allowed behaviour, but my experience with the DNS says this makes sense. Comments gladly accepted. - Havard ------------------------------ Fix to BIND 4.8.3. Apply with "patch -p0 -l" *** /tmp/,RCSt1a21126 Sun Feb 3 23:41:34 1991 --- ns_req.c Sat Feb 2 12:54:09 1991 *************** *** 991,994 **** --- 991,995 ---- char *fname; char dname[MAXDNAME]; + char gname[MAXDNAME]; HEADER *hp = (HEADER *) msg; int fndns; *************** *** 1037,1040 **** --- 1038,1052 ---- if (gnp == NULL || fname != dp->d_data) continue; + /* Do not send glue record unless we delegate to a */ + /* domain name in this domain. This is an attempt at */ + /* preventing old RR's to circulate between domain */ + /* name servers that provide secondary service for */ + /* each others zones. */ + getname(gnp, gname, sizeof(gname)); + n = strlen(gname) - strlen(dname); + if (n < 0) /* can not possibly be a subdomain */ + continue; + if (strcasecmp(dname, gname + n) != 0) + continue; for(gdp=gnp->n_data; gdp != NULL; gdp=gdp->d_next) { if (gdp->d_type != T_A || stale(gdp))