Response Differences Between
Bind 8.3.3-REL and nsd 1.1.0

Daniel Karrenberg
<daniel.karrenberg@ripe.net>

Version: 1.0

Abstract

This note describes observed differences 
in responses between the DNS server implementations.



0. Introduction

The observed differences are described.
The names of the differences refer to the statistics
in Appendix A, which describe observations of
the differences in responses to real queries
to a root name server and a TLD name server.


1. Authoritative Only Differences

The most frequently ocurring  differences are due to 
the fact that nsd is a true 'authoritative only' server.
As such it does not return as much non-authoritative data
as bind8 does. We do not expect these differences to cause
problems in resolvers.


1.1 d-bcacheglu - Out-of-Zone Glue

Bind8 answers queries for out-of-zone (glue) A RRs 
non-authoritatively; nsd does not and provides a referral.

Analysis:
Authoritative only service should not provide 
non authoritative data.

Example:

bind8: 115 21412 -   1/2/2 
A? NS1.FASTSERVER.NL.;
ns1.fastserver.nl. a 80.84.226.95;
fastserver.nl. ns ns1.fastserver.nl.
fastserver.nl. ns ns2.fastserver.nl.;
ns1.fastserver.nl. a 80.84.226.95
ns2.fastserver.nl. a 80.84.226.98;

nsd:  99 21412 -   0/2/2 
A? NS1.FASTSERVER.NL.;
fastserver.nl. ns ns1.fastserver.nl.
fastserver.nl. ns ns2.fastserver.nl.;
ns1.fastserver.nl. a 80.84.226.95
ns2.fastserver.nl. a 80.84.226.98;


1.2 d-nnocachns - Non Authoritative Answers 

Bind8 answers queries with non-authoritative data;
nsd does not and provides a referral.
This also happens on type=ANY queries.
In essence it is the same difference as 
d-bcacheglue, just differentiated
from glue information for analysis purposes. 

Analysis:
Authoritative only service should not provide 
non authoritative data.

Example:

bind8: 139 25304 -   3/0/3 
NS? flightcam.de.;
flightcam.de. ns ns.kdt.de.
flightcam.de. ns ns2.kdt.de.
flightcam.de. ns ns.wtal.de.;
ns.kdt.de. a 195.8.224.1
ns2.kdt.de. a 195.8.224.2
ns.wtal.de. a 212.17.226.130;

nsd:139 25304 -   0/3/3 
NS? flightcam.de.;
flightcam.de. ns ns.kdt.de.
flightcam.de. ns ns2.kdt.de.
flightcam.de. ns ns.wtal.de.;
ns.kdt.de. a 195.8.224.1
ns2.kdt.de. a 195.8.224.2
ns.wtal.de. a 212.17.226.130;



2. Bind Bugs

Some differences are due to bind bugs 
and/or bind answers not conformin to the 
Intenert standards.


2.1 b-multrrset - Multiple RRSets in Response

nsd does not send an RRset more than once in a response
as per RFC2181 section 5.5. 

Bind8 is observed to send the same RRset in both the 
answer and Additional sections.
This is not conforming to the standard.

Anaysis:
NSD answers correctly as per the standard. 
Some incorrect and particularly naive resolver
implementations could be affected.
No such implementation is known.

Example: 

bind8: 24531*- q: A? A.ROOT-SERVERS.NET. 1/4/4 
A.ROOT-SERVERS.NET. A 198.41.0.4 
ns: ROOT-SERVERS.NET. NS A.ROOT-SERVERS.NET., 
ROOT-SERVERS.NET. NS f.ROOT-SERVERS.NET., 
ROOT-SERVERS.NET. NS j.ROOT-SERVERS.NET., 
ROOT-SERVERS.NET. NS k.ROOT-SERVERS.NET. 
ar: A.ROOT-SERVERS.NET. A 198.41.0.4, 
f.ROOT-SERVERS.NET. A 192.5.5.241, 
j.ROOT-SERVERS.NET. A 198.41.0.10, 
k.ROOT-SERVERS.NET. A 193.0.14.129 (178) 

nsd:   24531*- q: A? A.ROOT-SERVERS.NET. 1/4/3 
A.ROOT-SERVERS.NET. A 198.41.0.4 
ns: ROOT-SERVERS.NET. NS A.ROOT-SERVERS.NET., 
ROOT-SERVERS.NET. NS F.ROOT-SERVERS.NET., 
ROOT-SERVERS.NET. NS J.ROOT-SERVERS.NET., 
ROOT-SERVERS.NET. NS K.ROOT-SERVERS.NET. 
ar: F.ROOT-SERVERS.NET. A 192.5.5.241, 
J.ROOT-SERVERS.NET. A 198.41.0.10, 
K.ROOT-SERVERS.NET. A 193.0.14.129 (162) 


2.2 b-rootdot - bind does not return NXDOMAIN on 'root.'

bind does not answer NXDOMAIN on queries for 'root.' while
this domain does not exist in class IN.

Analysis:
bind has a pseudo domain root. somewhere.
nsd does not.


2.3 b-nonxdom - bind misses NXDomain when no zone cut

bind8 refers to itself if it is asked for an authoritative
answer in cases where there is no zone cut but other data.

Analysis:
A bind bug.

Example:

zone file:
www.pool-effekt 86400 IN A              194.246.96.72

bind8: 82   889 *-  0/1/0 
A? pool-effekt.de.;
de. soa dns.denic.de. ops.denic.de. 2002031701 10800 7200 3600000 3600;

nsd:   82   889 *-  0/1/0 NXDomain
A? pool-effekt.de.;
de. soa dns.denic.de. ops.denic.de. 2002031701 10800 7200 3600000 3600;


2.4 n-clrcdbit - nsd clears CD bit in response

nsd clears the CD header-bit in responses, 
bind copies it from the query.
Security unaware servers should clear this bit 
as per RFC1035 4.1.1.

Analysis:
A bind bug.


3. Functionality Differences

The next group of differences are due to the fact that
nsd does not implement some functionality that is requested.
This is a design choice and should not cause resolver
problems at all.


3.1 d-nnotimpny - nsd returns Refused on notify requests

nsd returns NOTIMP to notify operations and does not return
the original query.

Example:

bind8: 29     0 -   0/0/0 notify ServFail
SOA? smgcinc.com.;

nsd:  12     0 *-  0/0/0 notify NotImp;

Analysis:
NSD does not implement Notify and answers
accordingly.



3.2 d-nrefclass - nsd returns Refused on unknown class/type

nsd returns the errorode REFUSED to queries with an unknown
class or RR type. bind returns SERVFAIL.

Analysis:
This is a permanent error.
Interpretation of the protocol
standard differs. 

Example:

bind8: 32  1388 -   0/0/0 ServFail
Type0 (Class 256)? 10.225.125.182.;

nsd:   32  1388 -   0/0/0 Refused
Type0 (Class 256)? 10.225.125.182.;



3.3 d-nonrefut - nsd returns no data on refused upddate

nsd does not return the original message data on refused updates.

Analysis:
Interpretation of the RFCs differs. 
Original data is not necessary,
dropping it increases DoS resilience.

Example:

bind8: 63  7610 -   1/1/0 update Refused
SOA? .;
doydoy.res.hmc.edu. (class 254) a 192.17.0.1;
doydoy.res.hmc.edu. a 134.173.62.172;

nsd:   12  7610 -   0/0/0 update Refused;


3.4 d-bindchaos - nsd does not implement the bind. TLD in class CHAOS

nsd does not implement the pseudo TLD 'bind' in class CHAOS to make
server characteristics availeble via the query interface. nsd does
implement the (proposed) 'server' pseudo TLS in class CHAOS instead.


4. Design Dependent Differences

This group of differences contains minor variations
of responses due to different design choices. 
At present this only appears in the different
name way name encoding (compression) is done.


4.1 Different Name Encoding

Since NSD pre-computes its answers for
efficiency, in a very few cases its name
encoding differs from that generated by bind8.
These cases occur when the parts of the 
answer can be encoded using parts of the
question. 

The different encoding can affect the 
answer in three different, 
increasingly severe ways.

- same response (d-nameencod)
  The content of the response is exactly the same,
  just encoded differently. The only effect of 
  this is a slightly increased length of the 
  response. In our observations the total 
  output bandwidth increase caused by this 
  is negligible. It is shown as "Added Bytes:"
  in the comparisons.

- same answer (d-nameencom)
  The answer is the same; the additional
  section is shortened by one or more
  RRsets. This may cause some loss of 
  optimisation in resolvers that may need
  additional queries to obtain some of
  the omitted information.
  Note again that the answer is fully transmitted
  and thus the 'truncated answer' bit is not set.
  The total number of omitted RRs is noted in the
  comparisons. We have only obseved this when responding to
  queries for unusually long names.
  The maximum omission observed was 1 RR.

- truncated answer
  This is when the answer would be truncaed 
  and the 'truncated answer' bit set.
  We have not observed this at all.

Analysis: 
This is an expected differences caused by design choices.



Appendix A

Comparison of responses to root queries:

--------------------------------------------------------------------------
                                            Total Answers:  49992
                                Skipped ambiguous changes:     22 /  0.04%

--------------------------------------------------------------------------

                                               d-bcacheglu   2881 /  5.76%
                                               d-nclrcdbit    400 /  0.80%
                                               d-nameencod    384 /  0.77%
                                   d-bcacheglu b-multrrset    164 /  0.33%
                                               d-nrefclass      9 /  0.02%
                                               d-nnocachns      7 /  0.01%
                                               d-nnotimpup      3 /  0.01%
                                               d-bindchaos      2 /  0.00%
--------------------------------------------------------------------------
                                 Total Different Responses   3850 /  7.70%
==========================================================================

b-multrrset -   bind puts same RRSet in multiple sections:    164 /  4.09%
d-bcacheglu -              bind answers with chached glue:   3045 / 75.86%
d-bindchaos -               bind answers to CHAOS *.bind.:      2 /  0.05%
d-nameencod -                     different name encoding:    384 /  9.57%
                                  Additional bytes:   1627
d-nclrcdbit -               nsd clears CD bit in response:    400 /  9.97%
d-nnocachns -     ns returns no non-authoritative answers:      7 /  0.17%
d-nnotimpup -       nsd returns NotImp on update requests:      3 /  0.07%
d-nrefclass -   nsd returns Refused on unknown class/type:      9 /  0.22%
--------------------------------------------------------------------------
                                         Total Differences   4014 /100.00%
