1% DIFFERENCES NSD 3 and other name servers. 2\documentclass[twoside,titlepage,english]{nlnetlabs} 3\newcites{rfc}{RFC references} 4 5\def\nlnetlabsno{2006-004} 6 7\rcsdetails{$Id$} 8% Prints RCS details at the bottom of the page. 9 10\title{Response Differences between\\ NSD and other DNS Servers} 11\author{ 12 %This escape is needed. Because of wrapping by hyperref 13 \texorpdfstring{ 14 Jelte Jansen\thanks{\href{mailto:jelte@nlnetlabs.nl}{jelte@nlnetlabs.nl}}, 15 \textsl{NLnet Labs}\\ 16 Wouter Wijngaards\thanks{\href{mailto:wouter@nlnetlabs.nl}{wouter@nlnetlabs.nl}}, 17 \textsl{NLnet Labs} 18 } 19 {Jelte Jansen, Wouter C.A. Wijngaards} 20} 21\date{ 22 \today 23} 24 25\begin{document} 26\flushbottom 27\maketitle{} 28 29\begin{abstract} 30This note describes observed differences in responses between NSD and 31other DNS server implementations. NSD 3.0.0 is compared to NSD 2.3.6, 32BIND 8.4.7 and BIND 9.3.2. Differences in answers to captured queries from 33resolvers are tallied and analyzed. No interoperability problems are found. 34\end{abstract} 35 36 37\tableofcontents 38\newpage 39 40\section{Introduction} 41 42The NSD name server is compared to other DNS server implementations 43in order to assess server interoperability. 44The goal is to observe differences in the answers that the name servers 45provide. These differences are categorized and counted. 46 47We used BIND 8 and BIND 9 versions to compare against. Also regression 48tests have been run on our testlab, comparing NSD 2 versus NSD 3. 49 50Our method uses a set of queries captured from production name servers. 51These queries are sent over UDP to a name server set up to serve a 52particular zone. Then the responses from the name server are recorded. 53For every query, the different answers provided by the server 54implementations are compared. 55 56Unparseable answers and no answers from the servers are handled 57identically by the comparison software. This is not a problem because 58both BIND and NSD are mature and stable DNS implementations, all answers 59they send are parseable. Only in a very few cases, where the query is 60very badly formed, no answers are sent back. 61 62The differences are found by replaying captured DNS query traces from 63the NL TLD and from the root zone against different name servers. The 64differences in the answers are then analyzed, by first performing a 65byte-comparison on the packets. If the packets are binary different, 66the contents are parsed, thus removing differences in domain name 67compression, and normalized (sorted, lowercase) in presentation. If the 68results do not match after normalization, then a list of difference 69categories is consulted. The difference is classified as the first 70category that matches. If a difference in answers does not match any 71category, then the process stops and the user is notified. All the 72differences are categorized for the traces we present. 73 74In addition, we gratefully made use of the PROTOS DNS tool developed 75at the University of Oulu which they made publicly available at 76\href{http://www.ee.oulu.fi/research/ouspg/protos/testing/c09/dns} 77{the protos webpage}\footnote{http://www.ee.oulu.fi/research/ouspg/protos/testing/c09/dns} 78and played the queries against the authoritative name servers. 79We fixed a packet parsing error in NSD3-prerelease and both NSD3 and 80BIND 9.3.2 remained running and responsive. 81 82Additionally we used the faulty DNS query traces in the wiki-ethereal 83repository. These can be found in \href{http://wiki.ethereal.com/SampleCaptures} 84{the ethereal wiki}\footnote{http://wiki.ethereal.com/SampleCaptures}. 85These traces posed no problem for BIND and NSD, mostly FORMERR answers. 86 87A previous document DIFFERENCES between BIND 8.4.4 and NSD 2.0.0 can be found 88in the NSD 2.x package. 89 90In the places where differences have been found between BIND and NSD, 91in the authors' opinion, no interoperability problems result for resolvers. 92 93 94\section{Response differences between BIND 9.3.2 and NSD 3.0.0} 95 96In this section the response differences between BIND 9.3.2 and NSD 3.0.0 97are presented and analyzed. We start in Section~\ref{root_b932nsd3} and 98Section~\ref{nl_b932nsd3} with presenting 99the difference statistics for two test traces. Then in 100Section~\ref{sec:features} and Section~\ref{sec:funcdiff} 101the difference categories are explained in more detail. 102 103 104\subsection{Comparison of responses to root queries} 105\label{root_b932nsd3} 106 107Comparison between NSD 3.0.0 and BIND 9.3.2 for a root trace. 108 109\begin{tabular}{lrr} 110{\em difference} & {\em packets} & {\em \%diff} \\ 111d-additional (\ref{d-additional}) & 455607 & 59.19\% \\ 112n-clrdobit (\ref{n-clrdobit}) & 208389 & 27.07\% \\ 113b-soattl (\ref{b-soattl}) & 101707 & 13.21\% \\ 114n-update (\ref{n-update}) & 1858 & 0.24\% \\ 115d-hostname (\ref{d-hostname}) & 1032 & 0.13\% \\ 116d-formerrquery (\ref{d-formerrquery}) & 773 & 0.10\% \\ 117b-class0 (\ref{b-class0}) & 264 & 0.03\% \\ 118d-refusedquery (\ref{d-refusedquery}) & 79 & 0.01\% \\ 119d-notify (\ref{d-notify}) & 18 & 0.00\% \\ 120b-mailb (\ref{b-mailb}) & 7 & 0.00\% \\ 121n-tcinquery (\ref{n-tcinquery}) & 6 & 0.00\% \\ 122b-classany-nxdomain (\ref{b-classany-nxdomain}) & 5 & 0.00\% \\ 123d-badqueryflags (\ref{d-badqueryflags}) & 4 & 0.00\% \\ 124n-ixfr-notimpl (\ref{n-ixfr-notimpl}) & 3 & 0.00\% \\ 125d-version (\ref{d-version}) & 1 & 0.00\% \\ 126Total number of differences: & 769753 & 100\% \\ 127Number of packets the same after normalization:&1474863 \\ 128Number of packets exactly the same on the wire:& 59161 \\ 129Total number of packets inspected: &2244616 \\ 130\end{tabular} 131 132For each type of difference the number of packets in the trace that 133match that difference are shown. The section where that difference 134is analyzed is shown in parenthesis after the difference name. 135The percentage of differences 136explained by the difference category is listed. Adding up the packets 137that are different gives the total number of differences, or 100\% 138of the differences. 139 140The number of packets after normalization includes the number of 141packets that are the same on the wire. 142The total number of query packets is displayed at the bottom of the table. 143 144 145\subsection{Comparison of responses to NL TLD queries} 146\label{nl_b932nsd3} 147 148Comparison between NSD 3.0.0 and BIND 9.3.2, for a trace for .nl. 149 150\begin{tabular}{lrr} 151{\em difference} & {\em packets} & {\em \%diff} \\ 152d-unknown-opcode (\ref{d-unknown-opcode}) & 2541 & 26.44\% \\ 153b-badquery-badanswer (\ref{b-badquery-badanswer}) & 1817 & 18.91\% \\ 154n-clrdobit (\ref{n-clrdobit}) & 1495 & 15.56\% \\ 155b-soattl (\ref{b-soattl}) & 1120 & 11.65\% \\ 156n-update (\ref{n-update}) & 990 & 10.30\% \\ 157d-badqueryflags (\ref{d-badqueryflags}) & 847 & 8.81\% \\ 158d-hostname (\ref{d-hostname}) & 531 & 5.52\% \\ 159d-notify (\ref{d-notify}) & 98 & 1.02\% \\ 160b-upwards-ref (\ref{b-upwards-ref}) & 78 & 0.81\% \\ 161n-clrcdbit (\ref{n-clrcdbit}) & 63 & 0.66\% \\ 162d-version (\ref{d-version}) & 22 & 0.23\% \\ 163b-noglue-nsquery (\ref{b-noglue-nsquery}) & 8 & 0.08\% \\ 164b8-badedns0 (\ref{b8-badedns0}) & 1 & 0.01\% \\ 165Total number of differences: & 9611 & 100\% \\ 166Number of packets the same after normalization: & 90389 \\ 167Number of packets exactly the same on the wire: & 52336 \\ 168Total number of packets inspected: & 100000 \\ 169\end{tabular} 170 171\subsection{Features} 172\label{sec:features} 173 174In this section we enumerate a number of differences between 175BIND 9.3.2 and NSD 3.0.0 that cannot be immediately explained 176as design choices. These features could be seen as bugs in software 177or protocol specs, except that they do not lead to interoperability 178problems. 179 180 181\subsubsection{n-clrdobit - NSD clears DO bit in response} 182\label{n-clrdobit} 183 184NSD clears the DO bit in answers to queries with the DO bit. BIND copies the 185DO bit to the answer. 186 187\vspace{-8pt}\subparagraph{Analysis:} 188 189In RFC4035\cite{rfc4035} the DO bit is not specified for answers. In the examples section 190of that RFC the DO bit is shown for signed dig responses, although this could 191refer to the query or the answer. NSD clears the DO bit for all answers, a 192decision based on speed: the EDNS record sent back by NSD is precompiled and 193not modified during answer processing. 194 195 196\subsubsection{n-clrcdbit - NSD clears CD bit in response} 197\label{n-clrcdbit} 198 199NSD clears the CD bit in answers to queries with the CD bit. BIND copies the 200CD bit to the answer. 201 202\vspace{-8pt}\subparagraph{Analysis:} 203 204RFC 4035\cite{rfc4035} asserts that the CD bit must be cleared for 205authoritative answers. The CD bit should be copied into the answer 206by recursive servers. BIND copies the CD bit for some formerr queries. 207 208 209\subsubsection{b-class0 - CLASS0 formerr in BIND} 210\label{b-class0} 211 212For CLASS0, you can get either FORMERR, from BIND or REFUSED, from NSD. 213 214\vspace{-8pt}\subparagraph{Analysis:} 215 216Difference in interpretation of the RFCs, a CLASS value of 0 is interpreted 217as a syntax error by BIND but as another valid class (that is not served) 218by NSD. Resolvers are unaffected for CLASS IN. 219 220 221\subsubsection{n-tcinquery - TC bit in query is formerr for NSD} 222\label{n-tcinquery} 223 224NSD returns FORMERR if tc bit is set in query. 225 226\vspace{-8pt}\subparagraph{Analysis:} 227 228Queries cannot be longer than 512 octets, since the DNS header is short 229and the query DNS name has a maximum length of 255 octets. Thus 230TC (TrunCation) cannot happen. Only one question per query packet is 231answered by NSD, this is a design decision. 232 233Some update, ixfr request, notify, gss-tsig TKEY sequence queries could 234theoretically carry longer data in the query from the client. In practice 235this does not happen, as 255 octet uncompressed names are not used. 236If this were to happen, the client could attempt a TCP connection 237immediately instead of setting a TC bit, or use EDNS0 to send longer packets. 238 239In this NSD is more strict in validation than BIND. 240 241 242\subsubsection{b-soattl - BIND sets SOA TTL in authority section to 0 for SOA queries} 243\label{b-soattl} 244 245This happens when asking for the SOA for a domain that is not served. 246 247\footnotesize 248\begin{verbatim} 249Query: 250;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 251;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 252;; QUESTION SECTION: 253;; foo.bar. IN SOA 254\end{verbatim} 255\normalsize 256 257 258Answer from BIND 9.3.2: 259 260\footnotesize 261\begin{verbatim} 262;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 6097 263;; flags: qr aa rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 264;; QUESTION SECTION: 265;; foo.bar. IN SOA 266 267;; ANSWER SECTION: 268 269;; AUTHORITY SECTION: 270. 0 IN SOA A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. ( 271 2006072801 1800 900 604800 86400) 272 273;; ADDITIONAL SECTION: 274 275;; Query time: 10 msec 276;; SERVER: 127.0.0.1 277;; WHEN: Wed Aug 23 13:52:36 2006 278;; MSG SIZE rcvd: 100 279\end{verbatim} 280\normalsize 281 282Answer from NSD 3: 283 284\footnotesize 285\begin{verbatim} 286;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 26095 287;; flags: qr aa rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 288;; QUESTION SECTION: 289;; foo.bar. IN SOA 290 291;; ANSWER SECTION: 292 293;; AUTHORITY SECTION: 294. 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. ( 295 2006072801 1800 900 604800 86400) 296 297;; ADDITIONAL SECTION: 298 299;; Query time: 60 msec 300;; SERVER: 127.0.0.1 301;; WHEN: Wed Aug 23 13:53:30 2006 302;; MSG SIZE rcvd: 100 303\end{verbatim} 304\normalsize 305 306\vspace{-8pt}\subparagraph{Analysis:} 307 308BIND conforms to internet-draft draft-andrews-dnsext-soa-discovery which 309has at the moment of code development not (yet) been published as RFC. 310NSD conforms to the RFCs. 311 312 313\subsubsection{b-classany-nxdomain - BIND gives an auth answer for class ANY nxdomain} 314\label{b-classany-nxdomain} 315 316A difference in behaviour for CLASS=ANY queries. For existing domains both 317BIND and NSD reply with AA bit cleared. For not existing domains (nxdomain) 318NSD replies with AA bit cleared. BIND replies with AA bit on and includes a 319SOA (CLASS=IN) for the zone, as for an authoritative nxdomain. 320 321Query: 322 323\footnotesize 324\begin{verbatim} 325;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 13328 326;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 327;; QUESTION SECTION: 328;; nslabs.ruO. ANY MX 329\end{verbatim} 330\normalsize 331 332Answer from BIND 9.3.2: 333 334\footnotesize 335\begin{verbatim} 336;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 13328 337;; flags: qr aa ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 338;; QUESTION SECTION: 339;; nslabs.ruo. ANY MX 340 341;; ANSWER SECTION: 342 343;; AUTHORITY SECTION: 344. 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. ( 345 2006072801 1800 900 604800 86400) 346 347;; ADDITIONAL SECTION: 348 349;; Query time: 0 msec 350;; WHEN: Wed Aug 23 13:58:51 2006 351;; MSG SIZE rcvd: 103 352\end{verbatim} 353\normalsize 354 355Answer from NSD 3: 356 357\footnotesize 358\begin{verbatim} 359;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 13328 360;; flags: qr ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 361;; QUESTION SECTION: 362;; nslabs.ruo. ANY MX 363 364;; ANSWER SECTION: 365 366;; AUTHORITY SECTION: 367 368;; ADDITIONAL SECTION: 369 370;; Query time: 0 msec 371;; WHEN: Wed Aug 23 13:58:51 2006 372;; MSG SIZE rcvd: 28 373\end{verbatim} 374\normalsize 375 376\vspace{-8pt}\subparagraph{Analysis:} 377 378Feature of BIND where it answers authoritatively for CLASS ANY 379nxdomain queries. 380 381 382\subsubsection{b-badquery-badanswer - BIND replies with bad answer for 383 some bad queries} 384\label{b-badquery-badanswer} 385 386BIND replies with an answer packet that cannot be parsed, or does 387not answer at all. NSD always generates 388an answer, with the appropriate RCODE (mostly NOTIMPL and FORMERR, but 389also NXDOMAIN to NOTIFY queries). All these queries are malformed in 390some way. 391 392A (very simple) example of a query without an answer 393is a query packet of 18 zero bytes. For some queries no answer 394only happens when BIND is presented with a trace of queries, not for 395a single query. 396 397\vspace{-8pt}\subparagraph{Analysis:} 398 399BIND includes (part of) the unparseable question into the answer, or 400some internal state of BIND is affected by earlier queries. 401 402NSD manages to answer the malformed query. Note that NSD does not answer 403queries that are too short, or that have the QR bit set. NSD tries to be 404as liberal in what it accepts as possible. 405 406 407\subsection{Functionality Differences} 408\label{sec:funcdiff} 409 410The next group of differences are due to the fact that NSD does not 411implement some functionality that is requested by resolvers. This 412is a design choice and should not cause resolver problems at all, 413since responses to those requests are within protocol specs. 414 415 416\subsubsection{d-notify - different NOTIFY errors} 417\label{d-notify} 418 419BIND and NSD give different errors for notify queries. The servers are started 420without any configuration for access control on notify. For notify messages 421aimed at a zone that is served, BIND 9.3.2 returns a NOERROR answer, and 422NSD 3 returns NOTAUTH. For notify messages on a zone that is not served 423(in-addr.arpa.) BIND 9.3.2 returns NOTAUTH and NSD 3 returns NXDOMAIN. 424 425\vspace{-8pt}\subparagraph{Analysis:} 426 427Default configuration differs between the two packages. NSD is more strict. 428Error codes are different, the tools that send notifies are not affected. 429 430 431\subsubsection{n-update - NSD does not implement dynamic update} 432\label{n-update} 433 434For UPDATE, you can get either REFUSED/NXRRSET/other RCODE from BIND 9.3.2 or 435NOTIMPL from nsd3. 436 437\vspace{-8pt}\subparagraph{Analysis:} 438 439NSD does not implement dynamic update. 440 441 442\subsubsection{b-mailb - BIND does not implement MAILB} 443\label{b-mailb} 444 445For MAILB, you can get either NOTIMPL(BIND 9) or NOERROR/NXDOMAIN(NSD 3). 446 447\vspace{-8pt}\subparagraph{Analysis:} 448 449BIND does not implement queries for the MAILB type. NSD treats it as 450one of the RRTYPEs. MAILB is obsoleted by RFCs, the MX type is 451used to transfer mail information now. 452 453 454\subsubsection{d-version - BIND returns servfail on version.server queries} 455\label{d-version} 456 457NSD returns version.server query, BIND returns servfail. 458 459\vspace{-8pt}\subparagraph{Analysis:} 460 461Both NSD and BIND return version.bind queries of the chaos class. 462These queries differ in the version number they return, of course. 463BIND does not return version.server queries. This is a design decision 464on the part of NSD to return version.server queries with the same answer. 465 466 467\subsubsection{d-additional - Different additional section on truncated answers} 468\label{d-additional} 469 470NSD and BIND return different additional sections on truncated answers 471to queries from the root. These answers are 480+ bytes long. 472 473\vspace{-8pt}\subparagraph{Analysis:} 474 475Not all the A and AAAA data fits into the additional section of the answer. 476BIND includes different names than NSD does, and BIND is observed to sometimes 477include one more AAAA record, less A records in the additional section. 478Resolvers should be unaffected. 479 480 481\subsubsection{d-refusedquery - BIND includes query section in REFUSED answers} 482\label{d-refusedquery} 483 484BIND includes the query sent for REFUSED answers. NSD replies with only 485the DNS header section. 486 487\vspace{-8pt}\subparagraph{Analysis:} 488 489The resolver must inspect the query ID. The error code provides sufficient 490information. Sending the header makes NSD replies smaller and thus more 491resilient to DoS attacks. 492 493 494\subsubsection{d-hostname - BIND adds a NS record for hostname.bind} 495\label{d-hostname} 496 497BIND includes an additional RR in the authority section of the reply: 498\footnotesize 499\begin{verbatim} 500hostname.bind. 0 CH NS hostname.bind. 501\end{verbatim} 502\normalsize 503 504\vspace{-8pt}\subparagraph{Analysis:} 505 506The RR seems useless. NSD does not include it. 507 508 509\subsubsection{n-ixfr-notimpl - NSD does not implement IXFR} 510\label{n-ixfr-notimpl} 511 512To queries for IXFR BIND responds with a valid answer (the latest SOA) 513and NSD responds with NOTIMPL error. 514 515\vspace{-8pt}\subparagraph{Analysis:} 516 517NSD 3.0.0 does not implement IXFR. It returns NOTIMPL by design. 518 519 520\subsubsection{d-formerrquery - BIND includes query section in FORMERR answers} 521\label{d-formerrquery} 522 523BIND includes the query sent for FORMERR answers. NSD replies with only 524the DNS header section. For some queries, NSD includes an EDNS record in 525the reply if there was a recognizable EDNS record in the query. 526 527\vspace{-8pt}\subparagraph{Analysis:} 528 529The resolver must inspect the query ID. The error code provides sufficient 530information. Sending the header makes NSD replies smaller and thus more 531resilient to DoS attacks. 532 533 534\subsubsection{d-badqueryflags - BIND includes query section in FORMERR answers} 535\label{d-badqueryflags} 536 537BIND includes the query section in reply to unparseable queries. NSD does not. 538 539\vspace{-8pt}\subparagraph{Analysis:} 540 541Same as d-formerrquery (\ref{d-formerrquery}), but the implementation of the comparison 542software could not parse the query either, thus a separate label. 543 544 545\subsubsection{d-unknown-class - BIND includes query section in answers to unknown class} 546\label{d-unknown-class} 547 548For queries with an unknown class in the query, BIND includes the query section 549in the answer. NSD does not. 550 551\vspace{-8pt}\subparagraph{Analysis:} 552 553Same as d-formerrquery (\ref{d-formerrquery}), but for a different error. 554 555 556\subsubsection{d-unknown-opcode - NSD returns NOTIMPL for unknown opcode} 557\label{d-unknown-opcode} 558 559For queries that are bad packets, with malformed RRs, with an unknown opcode, 560BIND returns a FORMERR, but NSD gives up after checking the opcode and 561returns NOTIMPL. NSD copies the flags from the query, and turns on the 562QR (query response) bit, BIND zeroes some of the flags. 563 564\vspace{-8pt}\subparagraph{Analysis:} 565 566NOTIMPL is appropriate since NSD does not implement whatever functionality 567is being looked for. 568 569 570\subsubsection{b-upwards-ref - BIND returns root delegation} 571\label{b-upwards-ref} 572 573For queries to a domain that is not served, which can only have arrived at 574this server due to a lame delegation, BIND returns a root delegation. NSD 575returns SERVFAIL. 576 577\vspace{-8pt}\subparagraph{Analysis:} 578 579By design, NSD does not know the root-servers. NSD is unable to reply as 580the zone is not configured, hence the SERVFAIL. This is also discussed in 581the REQUIREMENTS document for NSD. 582 583 584\subsubsection{b-noglue-nsquery - BIND returns no glue for NS queries} 585\label{b-noglue-nsquery} 586 587For queries for the NS records of the zone, BIND does not include glue 588for the NS records. NSD includes glue for the NS servers that lie within 589the zone. 590 591\vspace{-8pt}\subparagraph{Analysis:} 592 593The glue saves a followup query. 594 595 596\subsubsection{d-noquestion - different error on no question} 597\label{d-noquestion} 598 599For queries without a question section the error code differs. 600NSD considers it a FORMERR. BIND returns REFUSED. 601 602\vspace{-8pt}\subparagraph{Analysis:} 603 604Error code not specified for this corner case. No problems for resolvers. 605 606 607\subsubsection{b-uchar - BIND returns FORMERR on strange characters} 608\label{b-uchar} 609 610BIND returns FORMERR on strange characters in the query, such as 6110x00, 0xff, 0xe4, 0x20, 0x40 and so on. 612 613\vspace{-8pt}\subparagraph{Analysis:} 614 615NSD does not give a formerr on these queries, it processes them. 616NSD normalizes names to lower case. Otherwise leaves them untouched. 617BIND preserves case in answers. Choice made in REQUIREMENTS for NSD, 618also see RFC1035\cite{rfc1035} 2.3.3. 619 620 621\section{Response differences between NSD 2.3.6 and NSD 3.0.0} 622 623The differences between NSD 2.3.6 and NSD 3.0.0 are listed below. All are due 624to version number changes and new features in NSD 3. 625 626 627\subsection{Comparison of responses in root trace} 628 629Differences between NSD 2.3.6 and NSD 3.0.0 for a root trace. 630Note that apart from the 26 packets that are different, all responses are 631binary the same on the wire between the two versions of NSD. 632 633\begin{tabular}{lrr} 634{\em difference} & {\em packets} & {\em \%diff} \\ 635n-notify (\ref{n-notify}) & 19 & 73.08\% \\ 636n-ixfr (\ref{n-ixfr}) & 3 & 11.54\% \\ 637version.bind (\ref{nsd-version}) & 3 & 11.54\% \\ 638version.server (\ref{nsd-version}) & 1 & 3.85\% \\ 639Total number of differences: & 26 & 100\% \\ 640Number of packets the same after normalization:&2244590 \\ 641Number of packets exactly the same on the wire:&2244590 \\ 642Total number of packets inspected: &2244616 \\ 643\end{tabular} 644 645 646\subsection{Comparison of responses in NL TLD trace} 647 648Differences between NSD 2.3.6 and NSD 3.0.0 for a nl. trace. 649Note that apart from the 311 packets that are different, all responses are 650binary the same on the wire between the two versions of NSD. 651 652\begin{tabular}{lrr} 653{\em difference} & {\em packets} & {\em \%diff} \\ 654n-notify (\ref{n-notify}) & 289 & 92.93\% \\ 655version.bind (\ref{nsd-version}) & 22 & 7.07\% \\ 656Total number of differences: & 311 & 100\% \\ 657Number of packets the same after normalization:& 99689 \\ 658Number of packets exactly the same on the wire:& 99689 \\ 659Total number of packets inspected: &100000 \\ 660\end{tabular} 661 662 663\subsection{Version number - version.bind and version.server} 664\label{nsd-version} 665 666To queries for version.bind and version.server the different implementations 667return a different version number, as they should. 668 669\vspace{-8pt}\subparagraph{Analysis:} 670 671Expected. Correct version numbers are returned. 672 673 674\subsection{n-notify - notify not implemented in NSD 2} 675\label{n-notify} 676 677Notifications are handled differently. NSD 2 returns NOTIMPL error code, 678while NSD 3 returns NOTAUTH or NXDOMAIN error codes. 679 680\vspace{-8pt}\subparagraph{Analysis:} 681 682Default config denies all notify queries for NSD 3. These answers are correct 683for non-existing and not authorized domains. 684 685 686\subsection{n-ixfr - IXFR error FORMERR in NSD 2} 687\label{n-ixfr} 688 689To IXFR query questions different error codes are given. The NSD 2 690gives FORMERR (due to the RR in the authority section). NSD 3 returns 691NOTIMPL. 692 693\vspace{-8pt}\subparagraph{Analysis:} 694 695Neither version of NSD implements IXFR. It is more appropriate to 696return the NOTIMPL error code in that case. Bugfix in NSD. 697 698 699\section{Response differences between BIND 8 and NSD 3.0.0} 700 701In this section the response differences between BIND 8.4.7 and NSD 3.0.0 702are categorized and analyzed. 703 704 705\subsection{Comparison of responses in root trace} 706 707The differences between BIND 8.4.7 and NSD 3.0.0 when presented 708with queries for the root zone are below. 709 710\begin{tabular}{lrr} 711{\em difference} & {\em packets} & {\em \%diff} \\ 712n-clrcdbit (\ref{n-clrcdbit}) & 516372 &84.39\% \\ 713d-hostname (\ref{d-hostname}) & 53431 &8.73\% \\ 714d-additional (\ref{d-additional}) & 32526 &5.32\% \\ 715b8-nodata-ttlminup (\ref{b8-nodata-ttlminup}) & 4611 &0.75\% \\ 716n-update (\ref{n-update}) & 1856 &0.30\% \\ 717d-version (\ref{d-version}) & 1033 &0.17\% \\ 718b8-auth-any (\ref{b8-auth-any}) & 519 &0.08\% \\ 719b8-badedns0 (\ref{b8-badedns0}) & 492 &0.08\% \\ 720d-unknown-class (\ref{d-unknown-class}) & 482 &0.08\% \\ 721b-badquery-badanswer (\ref{b-badquery-badanswer}) & 451 &0.07\% \\ 722b-class0 (\ref{b-class0}) & 97 &0.02\% \\ 723d-notify (\ref{d-notify}) & 18 &0.00\% \\ 724b8-ignore-tc-query (\ref{b8-ignore-tc-query}) & 6 &0.00\% \\ 725b8-badquery-ignored (\ref{b8-badquery-ignored}) & 4 &0.00\% \\ 726n-ixfr-notimpl (\ref{n-ixfr-notimpl}) & 3 &0.00\% \\ 727b-soattl (\ref{b-soattl}) & 1 &0.00\% \\ 728Total number of differences: & 611902 &100\% \\ 729Number of packets the same after normalization:&1632714 \\ 730Number of packets exactly the same on the wire:& 2299 \\ 731Total number of packets inspected: &2244616 \\ 732\end{tabular} 733 734 735\subsection{Comparison of responses in NL TLD trace} 736 737The differences between BIND 8.4.7 and NSD 3.0.0 when presented 738with queries for the .nl zone are below. 739 740\begin{tabular}{lrr} 741{\em difference} & {\em packets} & {\em \%diff} \\ 742n-clrcdbit (\ref{n-clrcdbit}) & 2857 &33.53\% \\ 743d-unknown-opcode (\ref{d-unknown-opcode}) & 2692 &31.59\% \\ 744n-update (\ref{n-update}) & 1283 &15.06\% \\ 745d-badqueryflags (\ref{d-badqueryflags}) & 841 &9.87\% \\ 746d-hostname (\ref{d-hostname}) & 531 &6.23\% \\ 747d-notify (\ref{d-notify}) & 293 &3.44\% \\ 748d-version (\ref{d-version}) & 22 &0.26\% \\ 749b-badquery-badanswer (\ref{b-badquery-badanswer}) & 1 &0.01\% \\ 750b8-badedns0 (\ref{b8-badedns0}) & 1 &0.01\% \\ 751Total number of differences: &8521 &100\% \\ 752Number of packets the same after normalization:&91479 \\ 753Number of packets exactly the same on the wire:&90837 \\ 754Total number of packets inspected:&100000 \\ 755\end{tabular} 756 757 758\subsection{b8-nodata-ttlminup - BIND 8 uses minimum TTL from SOA also if bigger} 759\label{b8-nodata-ttlminup} 760 761For NXDOMAIN queries in root-servers.net BIND 8 uses the minimum TTL from 762the SOA as the TTL of the included SOA RR. However, this minimum TTL is 763larger than the original TTL of the SOA, both NSD 2.3.6, NSD 3 and BIND 9 764use the smaller of those two values as the TTL of the included SOA. 765 766\vspace{-8pt}\subparagraph{Analysis:} 767 768Bug in BIND 8 solved in BIND 9. 769 770 771\subsection{b8-badquery-ignored - BIND 8 replies normally for some bad queries} 772\label{b8-badquery-ignored} 773 774BIND8 manages to reply for malformed queries. NSD replies with FORMERR. 775 776\vspace{-8pt}\subparagraph{Analysis:} 777 778The query is bad, formerr is needed. Fixed in BIND9. 779 780 781\subsection{b8-badedns0 - BIND 8 ignores bad EDNS0 queries} 782\label{b8-badedns0} 783 784BIND 8 ignores queries with bad EDNS0 section. It answers the query. 785NSD replies with FORMERR. 786 787\vspace{-8pt}\subparagraph{Analysis:} 788 789BIND8 is more liberal in accepting broken EDNS0 records. NSD is not. 790Changed in BIND 9. 791 792 793\subsection{b8-auth-any - BIND 8 includes an authority section on queries for ANY .} 794\label{b8-auth-any} 795 796BIND8 includes an authority section on queries for class ANY . 797BIND9 and NSD return an empty authority section. 798 799\vspace{-8pt}\subparagraph{Analysis:} 800 801Fixed in BIND9. 802 803 804\subsection{b8-ignore-tc-query - BIND 8 ignores the TC bit in queries} 805\label{b8-ignore-tc-query} 806 807BIND responds to queries that have the TC bit set. NSD gives FORMERR. 808 809\vspace{-8pt}\subparagraph{Analysis:} 810 811This is like the n-tcinquery (\ref{n-tcinquery}), except where BIND9 returns NXDOMAIN, 812BIND8 returns the query with qr bit set. This is fixed in BIND9. 813NSD is less liberal in accepting queries, it returns form error on queries with 814the TC bit set. 815 816\bibliographystyle{nlnetlabs} 817\bibliography{allbib} 818 819\end{document} 820