1% DIFFERENCES NSD 3 and other name servers.
2\documentclass[twoside,titlepage,english]{nlnetlabs}
3\newcites{rfc}{RFC references}
4
5\def\nlnetlabsno{2006-004}
6
7\rcsdetails{$Id$}
8% Prints RCS details at the bottom of the page.
9
10\title{Response Differences between\\ NSD and other DNS Servers}
11\author{
12	%This escape is needed. Because of wrapping by hyperref
13	\texorpdfstring{
14		Jelte Jansen\thanks{\href{mailto:jelte@nlnetlabs.nl}{jelte@nlnetlabs.nl}},
15		\textsl{NLnet Labs}\\
16		Wouter Wijngaards\thanks{\href{mailto:wouter@nlnetlabs.nl}{wouter@nlnetlabs.nl}},
17		\textsl{NLnet Labs}
18	}
19	{Jelte Jansen, Wouter C.A. Wijngaards}
20}
21\date{
22	\today
23}
24
25\begin{document}
26\flushbottom
27\maketitle{}
28
29\begin{abstract}
30This note describes observed differences in responses between NSD and
31other DNS server implementations. NSD 3.0.0 is compared to NSD 2.3.6,
32BIND 8.4.7 and BIND 9.3.2. Differences in answers to captured queries from
33resolvers are tallied and analyzed. No interoperability problems are found.
34\end{abstract}
35
36
37\tableofcontents
38\newpage
39
40\section{Introduction}
41
42The NSD name server is compared to other DNS server implementations
43in order to assess server interoperability.
44The goal is to observe differences in the answers that the name servers
45provide. These differences are categorized and counted.
46
47We used BIND 8 and BIND 9 versions to compare against. Also regression
48tests have been run on our testlab, comparing NSD 2 versus NSD 3.
49
50Our method uses a set of queries captured from production name servers.
51These queries are sent over UDP to a name server set up to serve a
52particular zone. Then the responses from the name server are recorded.
53For every query, the different answers provided by the server
54implementations are compared.
55
56Unparseable answers and no answers from the servers are handled
57identically by the comparison software. This is not a problem because
58both BIND and NSD are mature and stable DNS implementations, all answers
59they send are parseable. Only in a very few cases, where the query is
60very badly formed, no answers are sent back.
61
62The differences are found by replaying captured DNS query traces from
63the NL TLD and from the root zone against different name servers. The
64differences in the answers are then analyzed, by first performing a
65byte-comparison on the packets. If the packets are binary different,
66the contents are parsed, thus removing differences in domain name
67compression, and normalized (sorted, lowercase) in presentation. If the
68results do not match after normalization, then a list of difference
69categories is consulted. The difference is classified as the first
70category that matches. If a difference in answers does not match any
71category, then the process stops and the user is notified. All the
72differences are categorized for the traces we present.
73
74In addition, we gratefully made use of the PROTOS DNS tool developed
75at the University of Oulu which they made publicly available at
76\href{http://www.ee.oulu.fi/research/ouspg/protos/testing/c09/dns}
77{the protos webpage}\footnote{http://www.ee.oulu.fi/research/ouspg/protos/testing/c09/dns}
78and played the queries against the authoritative name servers.
79We fixed a packet parsing error in NSD3-prerelease and both NSD3 and
80BIND 9.3.2 remained running and responsive.
81
82Additionally we used the faulty DNS query traces in the wiki-ethereal
83repository. These can be found in \href{http://wiki.ethereal.com/SampleCaptures}
84{the ethereal wiki}\footnote{http://wiki.ethereal.com/SampleCaptures}.
85These traces posed no problem for BIND and NSD, mostly FORMERR answers.
86
87A previous document DIFFERENCES between BIND 8.4.4 and NSD 2.0.0 can be found
88in the NSD 2.x package.
89
90In the places where differences have been found between BIND and NSD,
91in the authors' opinion, no interoperability problems result for resolvers.
92
93
94\section{Response differences between BIND 9.3.2 and NSD 3.0.0}
95
96In this section the response differences between BIND 9.3.2 and NSD 3.0.0
97are presented and analyzed. We start in Section~\ref{root_b932nsd3} and
98Section~\ref{nl_b932nsd3} with presenting
99the difference statistics for two test traces. Then in
100Section~\ref{sec:features} and Section~\ref{sec:funcdiff}
101the difference categories are explained in more detail.
102
103
104\subsection{Comparison of responses to root queries}
105\label{root_b932nsd3}
106
107Comparison between NSD 3.0.0 and BIND 9.3.2 for a root trace.
108
109\begin{tabular}{lrr}
110{\em difference}			& {\em packets} & {\em \%diff}	\\
111d-additional (\ref{d-additional}) 	&        455607 & 59.19\%	\\
112n-clrdobit (\ref{n-clrdobit})		&        208389 & 27.07\%	\\
113b-soattl (\ref{b-soattl})		&        101707 & 13.21\%	\\
114n-update (\ref{n-update})		&          1858 & 0.24\%	\\
115d-hostname (\ref{d-hostname})		&          1032 & 0.13\%	\\
116d-formerrquery (\ref{d-formerrquery})	&           773 & 0.10\%	\\
117b-class0 (\ref{b-class0})		&           264 & 0.03\%	\\
118d-refusedquery (\ref{d-refusedquery})	&            79 & 0.01\%	\\
119d-notify (\ref{d-notify})		&            18 & 0.00\%	\\
120b-mailb (\ref{b-mailb})			&             7 & 0.00\%	\\
121n-tcinquery (\ref{n-tcinquery})		&             6 & 0.00\%	\\
122b-classany-nxdomain (\ref{b-classany-nxdomain})	&     5 & 0.00\%	\\
123d-badqueryflags (\ref{d-badqueryflags})	&             4 & 0.00\%	\\
124n-ixfr-notimpl (\ref{n-ixfr-notimpl})	&             3 & 0.00\%	\\
125d-version (\ref{d-version})		&             1 & 0.00\%	\\
126Total number of differences:            &        769753 & 100\%	\\
127Number of packets the same after normalization:&1474863	\\
128Number of packets exactly the same on the wire:&  59161	\\
129Total number of packets inspected:             &2244616	\\
130\end{tabular}
131
132For each type of difference the number of packets in the trace that
133match that difference are shown. The section where that difference
134is analyzed is shown in parenthesis after the difference name.
135The percentage of differences
136explained by the difference category is listed.  Adding up the packets
137that are different gives the total number of differences, or 100\%
138of the differences.
139
140The number of packets after normalization includes the number of
141packets that are the same on the wire.
142The total number of query packets is displayed at the bottom of the table.
143
144
145\subsection{Comparison of responses to NL TLD queries}
146\label{nl_b932nsd3}
147
148Comparison between NSD 3.0.0 and BIND 9.3.2, for a trace for .nl.
149
150\begin{tabular}{lrr}
151{\em difference}                        & {\em packets} & {\em \%diff} \\
152d-unknown-opcode (\ref{d-unknown-opcode})               &     2541 & 26.44\% \\
153b-badquery-badanswer (\ref{b-badquery-badanswer})               &     1817 & 18.91\% \\
154n-clrdobit (\ref{n-clrdobit})           &     1495 & 15.56\% \\
155b-soattl (\ref{b-soattl})               &     1120 & 11.65\% \\
156n-update (\ref{n-update})               &      990 & 10.30\% \\
157d-badqueryflags (\ref{d-badqueryflags})         &      847 & 8.81\% \\
158d-hostname (\ref{d-hostname})           &      531 & 5.52\% \\
159d-notify (\ref{d-notify})               &       98 & 1.02\% \\
160b-upwards-ref (\ref{b-upwards-ref})             &       78 & 0.81\% \\
161n-clrcdbit (\ref{n-clrcdbit})           &       63 & 0.66\% \\
162d-version (\ref{d-version})             &       22 & 0.23\% \\
163b-noglue-nsquery (\ref{b-noglue-nsquery})               &        8 & 0.08\% \\
164b8-badedns0 (\ref{b8-badedns0})         &        1 & 0.01\% \\
165Total number of differences: & 9611 & 100\% \\
166Number of packets the same after normalization: & 90389 \\
167Number of packets exactly the same on the wire: & 52336 \\
168Total number of packets inspected: & 100000 \\
169\end{tabular}
170
171\subsection{Features}
172\label{sec:features}
173
174In this section we enumerate a number of differences between
175BIND 9.3.2 and NSD 3.0.0 that cannot be immediately explained
176as design choices. These features could be seen as bugs in software
177or protocol specs, except that they do not lead to interoperability
178problems.
179
180
181\subsubsection{n-clrdobit - NSD clears DO bit in response}
182\label{n-clrdobit}
183
184NSD clears the DO bit in answers to queries with the DO bit. BIND copies the
185DO bit to the answer.
186
187\vspace{-8pt}\subparagraph{Analysis:}
188
189In RFC4035\cite{rfc4035} the DO bit is not specified for answers. In the examples section
190of that RFC the DO bit is shown for signed dig responses, although this could
191refer to the query or the answer. NSD clears the DO bit for all answers, a
192decision based on speed: the EDNS record sent back by NSD is precompiled and
193not modified during answer processing.
194
195
196\subsubsection{n-clrcdbit - NSD clears CD bit in response}
197\label{n-clrcdbit}
198
199NSD clears the CD bit in answers to queries with the CD bit. BIND copies the
200CD bit to the answer.
201
202\vspace{-8pt}\subparagraph{Analysis:}
203
204RFC 4035\cite{rfc4035} asserts that the CD bit must be cleared for
205authoritative answers. The CD bit should be copied into the answer
206by recursive servers. BIND copies the CD bit for some formerr queries.
207
208
209\subsubsection{b-class0 - CLASS0 formerr in BIND}
210\label{b-class0}
211
212For CLASS0, you can get either FORMERR, from BIND or REFUSED, from NSD.
213
214\vspace{-8pt}\subparagraph{Analysis:}
215
216Difference in interpretation of the RFCs, a CLASS value of 0 is interpreted
217as a syntax error by BIND but as another valid class (that is not served)
218by NSD. Resolvers are unaffected for CLASS IN.
219
220
221\subsubsection{n-tcinquery - TC bit in query is formerr for NSD}
222\label{n-tcinquery}
223
224NSD returns FORMERR if tc bit is set in query.
225
226\vspace{-8pt}\subparagraph{Analysis:}
227
228Queries cannot be longer than 512 octets, since the DNS header is short
229and the query DNS name has a maximum length of 255 octets. Thus
230TC (TrunCation) cannot happen. Only one question per query packet is
231answered by NSD, this is a design decision.
232
233Some update, ixfr request, notify, gss-tsig TKEY sequence queries could
234theoretically carry longer data in the query from the client. In practice
235this does not happen, as 255 octet uncompressed names are not used.
236If this were to happen, the client could attempt a TCP connection
237immediately instead of setting a TC bit, or use EDNS0 to send longer packets.
238
239In this NSD is more strict in validation than BIND.
240
241
242\subsubsection{b-soattl - BIND sets SOA TTL in authority section to 0 for SOA queries}
243\label{b-soattl}
244
245This happens when asking for the SOA for a domain that is not served.
246
247\footnotesize
248\begin{verbatim}
249Query:
250;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
251;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
252;; QUESTION SECTION:
253;; foo.bar.     IN      SOA
254\end{verbatim}
255\normalsize
256
257
258Answer from BIND 9.3.2:
259
260\footnotesize
261\begin{verbatim}
262;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 6097
263;; flags: qr aa rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
264;; QUESTION SECTION:
265;; foo.bar.     IN      SOA
266
267;; ANSWER SECTION:
268
269;; AUTHORITY SECTION:
270.       0       IN      SOA     A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. (
271	2006072801 1800 900 604800 86400)
272
273;; ADDITIONAL SECTION:
274
275;; Query time: 10 msec
276;; SERVER: 127.0.0.1
277;; WHEN: Wed Aug 23 13:52:36 2006
278;; MSG SIZE  rcvd: 100
279\end{verbatim}
280\normalsize
281
282Answer from NSD 3:
283
284\footnotesize
285\begin{verbatim}
286;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 26095
287;; flags: qr aa rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
288;; QUESTION SECTION:
289;; foo.bar.     IN      SOA
290
291;; ANSWER SECTION:
292
293;; AUTHORITY SECTION:
294.       86400   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. (
295	2006072801 1800 900 604800 86400)
296
297;; ADDITIONAL SECTION:
298
299;; Query time: 60 msec
300;; SERVER: 127.0.0.1
301;; WHEN: Wed Aug 23 13:53:30 2006
302;; MSG SIZE  rcvd: 100
303\end{verbatim}
304\normalsize
305
306\vspace{-8pt}\subparagraph{Analysis:}
307
308BIND conforms to internet-draft draft-andrews-dnsext-soa-discovery which
309has at the moment of code development not (yet) been published as RFC.
310NSD conforms to the RFCs.
311
312
313\subsubsection{b-classany-nxdomain - BIND gives an auth answer for class ANY nxdomain}
314\label{b-classany-nxdomain}
315
316A difference in behaviour for CLASS=ANY queries. For existing domains both
317BIND and NSD reply with AA bit cleared. For not existing domains (nxdomain)
318NSD replies with AA bit cleared. BIND replies with AA bit on and includes a
319SOA (CLASS=IN) for the zone, as for an authoritative nxdomain.
320
321Query:
322
323\footnotesize
324\begin{verbatim}
325;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 13328
326;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
327;; QUESTION SECTION:
328;; nslabs.ruO.  ANY     MX
329\end{verbatim}
330\normalsize
331
332Answer from BIND 9.3.2:
333
334\footnotesize
335\begin{verbatim}
336;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 13328
337;; flags: qr aa ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
338;; QUESTION SECTION:
339;; nslabs.ruo.  ANY     MX
340
341;; ANSWER SECTION:
342
343;; AUTHORITY SECTION:
344.       86400   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. (
345	2006072801 1800 900 604800 86400)
346
347;; ADDITIONAL SECTION:
348
349;; Query time: 0 msec
350;; WHEN: Wed Aug 23 13:58:51 2006
351;; MSG SIZE  rcvd: 103
352\end{verbatim}
353\normalsize
354
355Answer from NSD 3:
356
357\footnotesize
358\begin{verbatim}
359;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 13328
360;; flags: qr ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
361;; QUESTION SECTION:
362;; nslabs.ruo.  ANY     MX
363
364;; ANSWER SECTION:
365
366;; AUTHORITY SECTION:
367
368;; ADDITIONAL SECTION:
369
370;; Query time: 0 msec
371;; WHEN: Wed Aug 23 13:58:51 2006
372;; MSG SIZE  rcvd: 28
373\end{verbatim}
374\normalsize
375
376\vspace{-8pt}\subparagraph{Analysis:}
377
378Feature of BIND where it answers authoritatively for CLASS ANY
379nxdomain queries.
380
381
382\subsubsection{b-badquery-badanswer - BIND replies with bad answer for
383                            some bad queries}
384\label{b-badquery-badanswer}
385
386BIND replies with an answer packet that cannot be parsed, or does
387not answer at all. NSD always generates
388an answer, with the appropriate RCODE (mostly NOTIMPL and FORMERR, but
389also NXDOMAIN to NOTIFY queries). All these queries are malformed in
390some way.
391
392A (very simple) example of a query without an answer
393is a query packet of 18 zero bytes. For some queries no answer
394only happens when BIND is presented with a trace of queries, not for
395a single query.
396
397\vspace{-8pt}\subparagraph{Analysis:}
398
399BIND includes (part of) the unparseable question into the answer, or
400some internal state of BIND is affected by earlier queries.
401
402NSD manages to answer the malformed query. Note that NSD does not answer
403queries that are too short, or that have the QR bit set. NSD tries to be
404as liberal in what it accepts as possible.
405
406
407\subsection{Functionality Differences}
408\label{sec:funcdiff}
409
410The next group of differences are due to the fact that NSD does not
411implement some functionality that is requested by resolvers.  This
412is a design choice and should not cause resolver problems at all,
413since responses to those requests are within protocol specs.
414
415
416\subsubsection{d-notify - different NOTIFY errors}
417\label{d-notify}
418
419BIND and NSD give different errors for notify queries. The servers are started
420without any configuration for access control on notify. For notify messages
421aimed at a zone that is served, BIND 9.3.2 returns a NOERROR answer, and
422NSD 3 returns NOTAUTH. For notify messages on a zone that is not served
423(in-addr.arpa.) BIND 9.3.2 returns NOTAUTH and NSD 3 returns NXDOMAIN.
424
425\vspace{-8pt}\subparagraph{Analysis:}
426
427Default configuration differs between the two packages. NSD is more strict.
428Error codes are different, the tools that send notifies are not affected.
429
430
431\subsubsection{n-update - NSD does not implement dynamic update}
432\label{n-update}
433
434For UPDATE, you can get either REFUSED/NXRRSET/other RCODE from BIND 9.3.2 or
435NOTIMPL from nsd3.
436
437\vspace{-8pt}\subparagraph{Analysis:}
438
439NSD does not implement dynamic update.
440
441
442\subsubsection{b-mailb - BIND does not implement MAILB}
443\label{b-mailb}
444
445For MAILB, you can get either NOTIMPL(BIND 9) or NOERROR/NXDOMAIN(NSD 3).
446
447\vspace{-8pt}\subparagraph{Analysis:}
448
449BIND does not implement queries for the MAILB type. NSD treats it as
450one of the RRTYPEs. MAILB is obsoleted by RFCs, the MX type is
451used to transfer mail information now.
452
453
454\subsubsection{d-version - BIND returns servfail on version.server queries}
455\label{d-version}
456
457NSD returns version.server query, BIND returns servfail.
458
459\vspace{-8pt}\subparagraph{Analysis:}
460
461Both NSD and BIND return version.bind queries of the chaos class.
462These queries differ in the version number they return, of course.
463BIND does not return version.server queries. This is a design decision
464on the part of NSD to return version.server queries with the same answer.
465
466
467\subsubsection{d-additional - Different additional section on truncated answers}
468\label{d-additional}
469
470NSD and BIND return different additional sections on truncated answers
471to queries from the root. These answers are 480+ bytes long.
472
473\vspace{-8pt}\subparagraph{Analysis:}
474
475Not all the A and AAAA data fits into the additional section of the answer.
476BIND includes different names than NSD does, and BIND is observed to sometimes
477include one more AAAA record, less A records in the additional section.
478Resolvers should be unaffected.
479
480
481\subsubsection{d-refusedquery - BIND includes query section in REFUSED answers}
482\label{d-refusedquery}
483
484BIND includes the query sent for REFUSED answers. NSD replies with only
485the DNS header section.
486
487\vspace{-8pt}\subparagraph{Analysis:}
488
489The resolver must inspect the query ID. The error code provides sufficient
490information. Sending the header makes NSD replies smaller and thus more
491resilient to DoS attacks.
492
493
494\subsubsection{d-hostname - BIND adds a NS record for hostname.bind}
495\label{d-hostname}
496
497BIND includes an additional RR in the authority section of the reply:
498\footnotesize
499\begin{verbatim}
500hostname.bind. 0 CH NS hostname.bind.
501\end{verbatim}
502\normalsize
503
504\vspace{-8pt}\subparagraph{Analysis:}
505
506The RR seems useless. NSD does not include it.
507
508
509\subsubsection{n-ixfr-notimpl - NSD does not implement IXFR}
510\label{n-ixfr-notimpl}
511
512To queries for IXFR BIND responds with a valid answer (the latest SOA)
513and NSD responds with NOTIMPL error.
514
515\vspace{-8pt}\subparagraph{Analysis:}
516
517NSD 3.0.0 does not implement IXFR. It returns NOTIMPL by design.
518
519
520\subsubsection{d-formerrquery - BIND includes query section in FORMERR answers}
521\label{d-formerrquery}
522
523BIND includes the query sent for FORMERR answers. NSD replies with only
524the DNS header section. For some queries, NSD includes an EDNS record in
525the reply if there was a recognizable EDNS record in the query.
526
527\vspace{-8pt}\subparagraph{Analysis:}
528
529The resolver must inspect the query ID. The error code provides sufficient
530information. Sending the header makes NSD replies smaller and thus more
531resilient to DoS attacks.
532
533
534\subsubsection{d-badqueryflags - BIND includes query section in FORMERR answers}
535\label{d-badqueryflags}
536
537BIND includes the query section in reply to unparseable queries. NSD does not.
538
539\vspace{-8pt}\subparagraph{Analysis:}
540
541Same as d-formerrquery (\ref{d-formerrquery}), but the implementation of the comparison
542software could not parse the query either, thus a separate label.
543
544
545\subsubsection{d-unknown-class - BIND includes query section in answers to unknown class}
546\label{d-unknown-class}
547
548For queries with an unknown class in the query, BIND includes the query section
549in the answer. NSD does not.
550
551\vspace{-8pt}\subparagraph{Analysis:}
552
553Same as d-formerrquery (\ref{d-formerrquery}), but for a different error.
554
555
556\subsubsection{d-unknown-opcode - NSD returns NOTIMPL for unknown opcode}
557\label{d-unknown-opcode}
558
559For queries that are bad packets, with malformed RRs, with an unknown opcode,
560BIND returns a FORMERR, but NSD gives up after checking the opcode and
561returns NOTIMPL.  NSD copies the flags from the query, and turns on the
562QR (query response) bit, BIND zeroes some of the flags.
563
564\vspace{-8pt}\subparagraph{Analysis:}
565
566NOTIMPL is appropriate since NSD does not implement whatever functionality
567is being looked for.
568
569
570\subsubsection{b-upwards-ref - BIND returns root delegation}
571\label{b-upwards-ref}
572
573For queries to a domain that is not served, which can only have arrived at
574this server due to a lame delegation, BIND returns a root delegation. NSD
575returns SERVFAIL.
576
577\vspace{-8pt}\subparagraph{Analysis:}
578
579By design, NSD does not know the root-servers.  NSD is unable to reply as
580the zone is not configured, hence the SERVFAIL. This is also discussed in
581the REQUIREMENTS document for NSD.
582
583
584\subsubsection{b-noglue-nsquery - BIND returns no glue for NS queries}
585\label{b-noglue-nsquery}
586
587For queries for the NS records of the zone, BIND does not include glue
588for the NS records. NSD includes glue for the NS servers that lie within
589the zone.
590
591\vspace{-8pt}\subparagraph{Analysis:}
592
593The glue saves a followup query.
594
595
596\subsubsection{d-noquestion - different error on no question}
597\label{d-noquestion}
598
599For queries without a question section the error code differs.
600NSD considers it a FORMERR. BIND returns REFUSED.
601
602\vspace{-8pt}\subparagraph{Analysis:}
603
604Error code not specified for this corner case. No problems for resolvers.
605
606
607\subsubsection{b-uchar - BIND returns FORMERR on strange characters}
608\label{b-uchar}
609
610BIND returns FORMERR on strange characters in the query, such as
6110x00, 0xff, 0xe4, 0x20, 0x40 and so on.
612
613\vspace{-8pt}\subparagraph{Analysis:}
614
615NSD does not give a formerr on these queries, it processes them.
616NSD normalizes names to lower case. Otherwise leaves them untouched.
617BIND preserves case in answers. Choice made in REQUIREMENTS for NSD,
618also see RFC1035\cite{rfc1035} 2.3.3.
619
620
621\section{Response differences between NSD 2.3.6 and NSD 3.0.0}
622
623The differences between NSD 2.3.6 and NSD 3.0.0 are listed below. All are due
624to version number changes and new features in NSD 3.
625
626
627\subsection{Comparison of responses in root trace}
628
629Differences between NSD 2.3.6 and NSD 3.0.0 for a root trace.
630Note that apart from the 26 packets that are different, all responses are
631binary the same on the wire between the two versions of NSD.
632
633\begin{tabular}{lrr}
634{\em difference}			& {\em packets} & {\em \%diff}	\\
635n-notify (\ref{n-notify})               & 19 &  73.08\% \\
636n-ixfr (\ref{n-ixfr})                   & 3 &  11.54\% \\
637version.bind (\ref{nsd-version})       & 3 & 11.54\% \\
638version.server (\ref{nsd-version})   & 1  &  3.85\% \\
639Total number of differences:            & 26 &  100\% \\
640Number of packets the same after normalization:&2244590 \\
641Number of packets exactly the same on the wire:&2244590 \\
642Total number of packets inspected:             &2244616 \\
643\end{tabular}
644
645
646\subsection{Comparison of responses in NL TLD trace}
647
648Differences between NSD 2.3.6 and NSD 3.0.0 for a nl. trace.
649Note that apart from the 311 packets that are different, all responses are
650binary the same on the wire between the two versions of NSD.
651
652\begin{tabular}{lrr}
653{\em difference}			& {\em packets} & {\em \%diff}	\\
654n-notify (\ref{n-notify}) 		& 289 & 92.93\% \\
655version.bind (\ref{nsd-version}) 	& 22  & 7.07\% \\
656Total number of differences: 			   & 311 	& 100\% \\
657Number of packets the same after normalization:& 99689 \\
658Number of packets exactly the same on the wire:& 99689 \\
659Total number of packets inspected: 	&100000 \\
660\end{tabular}
661
662
663\subsection{Version number - version.bind and version.server}
664\label{nsd-version}
665
666To queries for version.bind and version.server the different implementations
667return a different version number, as they should.
668
669\vspace{-8pt}\subparagraph{Analysis:}
670
671Expected. Correct version numbers are returned.
672
673
674\subsection{n-notify - notify not implemented in NSD 2}
675\label{n-notify}
676
677Notifications are handled differently. NSD 2 returns NOTIMPL error code,
678while NSD 3 returns NOTAUTH or NXDOMAIN error codes.
679
680\vspace{-8pt}\subparagraph{Analysis:}
681
682Default config denies all notify queries for NSD 3. These answers are correct
683for non-existing and not authorized domains.
684
685
686\subsection{n-ixfr - IXFR error FORMERR in NSD 2}
687\label{n-ixfr}
688
689To IXFR query questions different error codes are given. The NSD 2
690gives FORMERR (due to the RR in the authority section). NSD 3 returns
691NOTIMPL.
692
693\vspace{-8pt}\subparagraph{Analysis:}
694
695Neither version of NSD implements IXFR. It is more appropriate to
696return the NOTIMPL error code in that case. Bugfix in NSD.
697
698
699\section{Response differences between BIND 8 and NSD 3.0.0}
700
701In this section the response differences between BIND 8.4.7 and NSD 3.0.0
702are categorized and analyzed.
703
704
705\subsection{Comparison of responses in root trace}
706
707The differences between BIND 8.4.7 and NSD 3.0.0 when presented
708with queries for the root zone are below.
709
710\begin{tabular}{lrr}
711{\em difference}			& {\em packets} & {\em \%diff}	\\
712n-clrcdbit (\ref{n-clrcdbit})	&         516372 &84.39\% \\
713d-hostname (\ref{d-hostname})	&         53431  &8.73\% \\
714d-additional (\ref{d-additional})	& 32526  &5.32\% \\
715b8-nodata-ttlminup (\ref{b8-nodata-ttlminup})	& 4611  &0.75\% \\
716n-update (\ref{n-update})	&         1856  &0.30\% \\
717d-version (\ref{d-version})	&         1033  &0.17\% \\
718b8-auth-any (\ref{b8-auth-any})	&         519  &0.08\% \\
719b8-badedns0 (\ref{b8-badedns0})	&         492  &0.08\% \\
720d-unknown-class (\ref{d-unknown-class})	& 482  &0.08\% \\
721b-badquery-badanswer (\ref{b-badquery-badanswer})	& 451  &0.07\% \\
722b-class0 (\ref{b-class0})	&         97  &0.02\% \\
723d-notify (\ref{d-notify})	&         18  &0.00\% \\
724b8-ignore-tc-query (\ref{b8-ignore-tc-query})	& 6  &0.00\% \\
725b8-badquery-ignored (\ref{b8-badquery-ignored})	& 4  &0.00\% \\
726n-ixfr-notimpl (\ref{n-ixfr-notimpl})	& 3  &0.00\% \\
727b-soattl (\ref{b-soattl})	&         1  &0.00\% \\
728Total number of differences: 		&	 611902	&100\% \\
729Number of packets the same after normalization:&1632714 \\
730Number of packets exactly the same on the wire:&   2299 \\
731Total number of packets inspected: 	       &2244616 \\
732\end{tabular}
733
734
735\subsection{Comparison of responses in NL TLD trace}
736
737The differences between BIND 8.4.7 and NSD 3.0.0 when presented
738with queries for the .nl zone are below.
739
740\begin{tabular}{lrr}
741{\em difference}			& {\em packets} & {\em \%diff}	\\
742n-clrcdbit        (\ref{n-clrcdbit})         &           2857        &33.53\% \\
743d-unknown-opcode  (\ref{d-unknown-opcode})   &           2692        &31.59\% \\
744n-update          (\ref{n-update})           &           1283        &15.06\% \\
745d-badqueryflags   (\ref{d-badqueryflags})    &            841        &9.87\% \\
746d-hostname        (\ref{d-hostname})         &            531        &6.23\% \\
747d-notify          (\ref{d-notify})           &            293        &3.44\% \\
748d-version         (\ref{d-version})          &             22        &0.26\% \\
749b-badquery-badanswer (\ref{b-badquery-badanswer}) &         1        &0.01\% \\
750b8-badedns0          (\ref{b8-badedns0})     &              1        &0.01\% \\
751Total number of differences: &8521 &100\% \\
752Number of packets the same after normalization:&91479 \\
753Number of packets exactly the same on the wire:&90837 \\
754Total number of packets inspected:&100000 \\
755\end{tabular}
756
757
758\subsection{b8-nodata-ttlminup - BIND 8 uses minimum TTL from SOA also if bigger}
759\label{b8-nodata-ttlminup}
760
761For NXDOMAIN queries in root-servers.net BIND 8 uses the minimum TTL from
762the SOA as the TTL of the included SOA RR. However, this minimum TTL is
763larger than the original TTL of the SOA, both NSD 2.3.6, NSD 3 and BIND 9
764use the smaller of those two values as the TTL of the included SOA.
765
766\vspace{-8pt}\subparagraph{Analysis:}
767
768Bug in BIND 8 solved in BIND 9.
769
770
771\subsection{b8-badquery-ignored - BIND 8 replies normally for some bad queries}
772\label{b8-badquery-ignored}
773
774BIND8 manages to reply for malformed queries. NSD replies with FORMERR.
775
776\vspace{-8pt}\subparagraph{Analysis:}
777
778The query is bad, formerr is needed. Fixed in BIND9.
779
780
781\subsection{b8-badedns0 - BIND 8 ignores bad EDNS0 queries}
782\label{b8-badedns0}
783
784BIND 8 ignores queries with bad EDNS0 section. It answers the query.
785NSD replies with FORMERR.
786
787\vspace{-8pt}\subparagraph{Analysis:}
788
789BIND8 is more liberal in accepting broken EDNS0 records. NSD is not.
790Changed in BIND 9.
791
792
793\subsection{b8-auth-any - BIND 8 includes an authority section on queries for ANY .}
794\label{b8-auth-any}
795
796BIND8 includes an authority section on queries for class ANY .
797BIND9 and NSD return an empty authority section.
798
799\vspace{-8pt}\subparagraph{Analysis:}
800
801Fixed in BIND9.
802
803
804\subsection{b8-ignore-tc-query - BIND 8 ignores the TC bit in queries}
805\label{b8-ignore-tc-query}
806
807BIND responds to queries that have the TC bit set. NSD gives FORMERR.
808
809\vspace{-8pt}\subparagraph{Analysis:}
810
811This is like the n-tcinquery (\ref{n-tcinquery}), except where BIND9 returns NXDOMAIN,
812BIND8 returns the query with qr bit set. This is fixed in BIND9.
813NSD is less liberal in accepting queries, it returns form error on queries with
814the TC bit set.
815
816\bibliographystyle{nlnetlabs}
817\bibliography{allbib}
818
819\end{document}
820