Training courses

Kernel and Embedded Linux

Bootlin training courses

Embedded Linux, kernel,
Yocto Project, Buildroot, real-time,
graphics, boot time, debugging...

Bootlin logo

Elixir Cross Referencer

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
% DIFFERENCES NSD 3 and other name servers.
\documentclass[twoside,titlepage,english]{nlnetlabs}
\newcites{rfc}{RFC references}

\def\nlnetlabsno{2006-004}

\rcsdetails{$Id: differences.tex,v 1.2 2022/09/24 17:38:17 christos Exp $}   
% Prints RCS details at the bottom of the page.

\title{Response Differences between\\ NSD and other DNS Servers}
\author{
	%This escape is needed. Because of wrapping by hyperref
	\texorpdfstring{
		Jelte Jansen\thanks{\href{mailto:jelte@nlnetlabs.nl}{jelte@nlnetlabs.nl}},
		\textsl{NLnet Labs}\\
		Wouter Wijngaards\thanks{\href{mailto:wouter@nlnetlabs.nl}{wouter@nlnetlabs.nl}},
		\textsl{NLnet Labs}
	}
	{Jelte Jansen, Wouter C.A. Wijngaards}
}
\date{
	\today
}

\begin{document}
\flushbottom
\maketitle{}

\begin{abstract}
This note describes observed differences in responses between NSD and
other DNS server implementations. NSD 3.0.0 is compared to NSD 2.3.6,
BIND 8.4.7 and BIND 9.3.2. Differences in answers to captured queries from 
resolvers are tallied and analyzed. No interoperability problems are found.
\end{abstract}


\tableofcontents
\newpage

\section{Introduction}

The NSD name server is compared to other DNS server implementations
in order to assess server interoperability.
The goal is to observe differences in the answers that the name servers
provide. These differences are categorized and counted. 

We used BIND 8 and BIND 9 versions to compare against. Also regression
tests have been run on our testlab, comparing NSD 2 versus NSD 3.

Our method uses a set of queries captured from production name servers. 
These queries are sent over UDP to a name server set up to serve a 
particular zone. Then the responses from the name server are recorded. 
For every query, the different answers provided by the server 
implementations are compared.

Unparseable answers and no answers from the servers are handled 
identically by the comparison software. This is not a problem because 
both BIND and NSD are mature and stable DNS implementations, all answers 
they send are parseable. Only in a very few cases, where the query is 
very badly formed, no answers are sent back.

The differences are found by replaying captured DNS query traces from 
the NL TLD and from the root zone against different name servers. The 
differences in the answers are then analyzed, by first performing a
byte-comparison on the packets. If the packets are binary different, 
the contents are parsed, thus removing differences in domain name 
compression, and normalized (sorted, lowercase) in presentation. If the
results do not match after normalization, then a list of difference 
categories is consulted. The difference is classified as the first
category that matches. If a difference in answers does not match any 
category, then the process stops and the user is notified. All the
differences are categorized for the traces we present.

In addition, we gratefully made use of the PROTOS DNS tool developed 
at the University of Oulu which they made publicly available at 
\href{http://www.ee.oulu.fi/research/ouspg/protos/testing/c09/dns}
{the protos webpage}\footnote{http://www.ee.oulu.fi/research/ouspg/protos/testing/c09/dns}
and played the queries against the authoritative name servers.
We fixed a packet parsing error in NSD3-prerelease and both NSD3 and
BIND 9.3.2 remained running and responsive.

Additionally we used the faulty DNS query traces in the wiki-ethereal
repository. These can be found in \href{http://wiki.ethereal.com/SampleCaptures}
{the ethereal wiki}\footnote{http://wiki.ethereal.com/SampleCaptures}.
These traces posed no problem for BIND and NSD, mostly FORMERR answers.

A previous document DIFFERENCES between BIND 8.4.4 and NSD 2.0.0 can be found
in the NSD 2.x package.

In the places where differences have been found between BIND and NSD,
in the authors' opinion, no interoperability problems result for resolvers.


\section{Response differences between BIND 9.3.2 and NSD 3.0.0}

In this section the response differences between BIND 9.3.2 and NSD 3.0.0
are presented and analyzed. We start in Section~\ref{root_b932nsd3} and 
Section~\ref{nl_b932nsd3} with presenting
the difference statistics for two test traces. Then in 
Section~\ref{sec:features} and Section~\ref{sec:funcdiff}
the difference categories are explained in more detail.


\subsection{Comparison of responses to root queries}
\label{root_b932nsd3}

Comparison between NSD 3.0.0 and BIND 9.3.2 for a root trace.

\begin{tabular}{lrr}
{\em difference}			& {\em packets} & {\em \%diff}	\\
d-additional (\ref{d-additional}) 	&        455607 & 59.19\%	\\
n-clrdobit (\ref{n-clrdobit})		&        208389 & 27.07\%	\\
b-soattl (\ref{b-soattl})		&        101707 & 13.21\%	\\
n-update (\ref{n-update})		&          1858 & 0.24\%	\\
d-hostname (\ref{d-hostname})		&          1032 & 0.13\%	\\
d-formerrquery (\ref{d-formerrquery})	&           773 & 0.10\%	\\
b-class0 (\ref{b-class0})		&           264 & 0.03\%	\\
d-refusedquery (\ref{d-refusedquery})	&            79 & 0.01\%	\\
d-notify (\ref{d-notify})		&            18 & 0.00\%	\\
b-mailb (\ref{b-mailb})			&             7 & 0.00\%	\\
n-tcinquery (\ref{n-tcinquery})		&             6 & 0.00\%	\\
b-classany-nxdomain (\ref{b-classany-nxdomain})	&     5 & 0.00\%	\\
d-badqueryflags (\ref{d-badqueryflags})	&             4 & 0.00\%	\\
n-ixfr-notimpl (\ref{n-ixfr-notimpl})	&             3 & 0.00\%	\\
d-version (\ref{d-version})		&             1 & 0.00\%	\\
Total number of differences:            &        769753 & 100\%	\\
Number of packets the same after normalization:&1474863	\\
Number of packets exactly the same on the wire:&  59161	\\
Total number of packets inspected:             &2244616	\\
\end{tabular}

For each type of difference the number of packets in the trace that
match that difference are shown. The section where that difference
is analyzed is shown in parenthesis after the difference name.
The percentage of differences
explained by the difference category is listed.  Adding up the packets
that are different gives the total number of differences, or 100\%
of the differences.

The number of packets after normalization includes the number of
packets that are the same on the wire.  
The total number of query packets is displayed at the bottom of the table.


\subsection{Comparison of responses to NL TLD queries}
\label{nl_b932nsd3}

Comparison between NSD 3.0.0 and BIND 9.3.2, for a trace for .nl.

\begin{tabular}{lrr}
{\em difference}                        & {\em packets} & {\em \%diff} \\
d-unknown-opcode (\ref{d-unknown-opcode})               &     2541 & 26.44\% \\
b-badquery-badanswer (\ref{b-badquery-badanswer})               &     1817 & 18.91\% \\
n-clrdobit (\ref{n-clrdobit})           &     1495 & 15.56\% \\
b-soattl (\ref{b-soattl})               &     1120 & 11.65\% \\
n-update (\ref{n-update})               &      990 & 10.30\% \\
d-badqueryflags (\ref{d-badqueryflags})         &      847 & 8.81\% \\
d-hostname (\ref{d-hostname})           &      531 & 5.52\% \\
d-notify (\ref{d-notify})               &       98 & 1.02\% \\
b-upwards-ref (\ref{b-upwards-ref})             &       78 & 0.81\% \\
n-clrcdbit (\ref{n-clrcdbit})           &       63 & 0.66\% \\
d-version (\ref{d-version})             &       22 & 0.23\% \\
b-noglue-nsquery (\ref{b-noglue-nsquery})               &        8 & 0.08\% \\
b8-badedns0 (\ref{b8-badedns0})         &        1 & 0.01\% \\
Total number of differences: & 9611 & 100\% \\
Number of packets the same after normalization: & 90389 \\
Number of packets exactly the same on the wire: & 52336 \\
Total number of packets inspected: & 100000 \\
\end{tabular}

\subsection{Features}
\label{sec:features}

In this section we enumerate a number of differences between 
BIND 9.3.2 and NSD 3.0.0 that cannot be immediately explained
as design choices. These features could be seen as bugs in software
or protocol specs, except that they do not lead to interoperability 
problems.


\subsubsection{n-clrdobit - NSD clears DO bit in response}
\label{n-clrdobit}

NSD clears the DO bit in answers to queries with the DO bit. BIND copies the
DO bit to the answer.

\vspace{-8pt}\subparagraph{Analysis:}

In RFC4035\cite{rfc4035} the DO bit is not specified for answers. In the examples section
of that RFC the DO bit is shown for signed dig responses, although this could 
refer to the query or the answer. NSD clears the DO bit for all answers, a 
decision based on speed: the EDNS record sent back by NSD is precompiled and
not modified during answer processing.


\subsubsection{n-clrcdbit - NSD clears CD bit in response}
\label{n-clrcdbit}

NSD clears the CD bit in answers to queries with the CD bit. BIND copies the
CD bit to the answer.

\vspace{-8pt}\subparagraph{Analysis:}

RFC 4035\cite{rfc4035} asserts that the CD bit must be cleared for 
authoritative answers. The CD bit should be copied into the answer
by recursive servers. BIND copies the CD bit for some formerr queries.


\subsubsection{b-class0 - CLASS0 formerr in BIND}
\label{b-class0}

For CLASS0, you can get either FORMERR, from BIND or REFUSED, from NSD.

\vspace{-8pt}\subparagraph{Analysis:}

Difference in interpretation of the RFCs, a CLASS value of 0 is interpreted
as a syntax error by BIND but as another valid class (that is not served)
by NSD. Resolvers are unaffected for CLASS IN.


\subsubsection{n-tcinquery - TC bit in query is formerr for NSD}
\label{n-tcinquery}

NSD returns FORMERR if tc bit is set in query.

\vspace{-8pt}\subparagraph{Analysis:}

Queries cannot be longer than 512 octets, since the DNS header is short
and the query DNS name has a maximum length of 255 octets. Thus 
TC (TrunCation) cannot happen. Only one question per query packet is 
answered by NSD, this is a design decision.

Some update, ixfr request, notify, gss-tsig TKEY sequence queries could 
theoretically carry longer data in the query from the client. In practice
this does not happen, as 255 octet uncompressed names are not used.
If this were to happen, the client could attempt a TCP connection
immediately instead of setting a TC bit, or use EDNS0 to send longer packets.

In this NSD is more strict in validation than BIND.


\subsubsection{b-soattl - BIND sets SOA TTL in authority section to 0 for SOA queries}
\label{b-soattl}

This happens when asking for the SOA for a domain that is not served.

\footnotesize
\begin{verbatim}
Query:
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
;; flags: rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; foo.bar.     IN      SOA
\end{verbatim}
\normalsize


Answer from BIND 9.3.2:

\footnotesize
\begin{verbatim}
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 6097
;; flags: qr aa rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; foo.bar.     IN      SOA

;; ANSWER SECTION:

;; AUTHORITY SECTION:
.       0       IN      SOA     A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. (
	2006072801 1800 900 604800 86400)

;; ADDITIONAL SECTION:

;; Query time: 10 msec
;; SERVER: 127.0.0.1
;; WHEN: Wed Aug 23 13:52:36 2006
;; MSG SIZE  rcvd: 100
\end{verbatim}
\normalsize

Answer from NSD 3:

\footnotesize
\begin{verbatim}
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 26095
;; flags: qr aa rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; foo.bar.     IN      SOA

;; ANSWER SECTION:

;; AUTHORITY SECTION:
.       86400   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. (
	2006072801 1800 900 604800 86400)

;; ADDITIONAL SECTION:

;; Query time: 60 msec
;; SERVER: 127.0.0.1
;; WHEN: Wed Aug 23 13:53:30 2006
;; MSG SIZE  rcvd: 100
\end{verbatim}
\normalsize

\vspace{-8pt}\subparagraph{Analysis:}

BIND conforms to internet-draft draft-andrews-dnsext-soa-discovery which 
has at the moment of code development not (yet) been published as RFC. 
NSD conforms to the RFCs.


\subsubsection{b-classany-nxdomain - BIND gives an auth answer for class ANY nxdomain}
\label{b-classany-nxdomain}

A difference in behaviour for CLASS=ANY queries. For existing domains both
BIND and NSD reply with AA bit cleared. For not existing domains (nxdomain)
NSD replies with AA bit cleared. BIND replies with AA bit on and includes a
SOA (CLASS=IN) for the zone, as for an authoritative nxdomain.

Query:

\footnotesize
\begin{verbatim}
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 13328
;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; nslabs.ruO.  ANY     MX
\end{verbatim}
\normalsize

Answer from BIND 9.3.2:

\footnotesize
\begin{verbatim}
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 13328
;; flags: qr aa ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; nslabs.ruo.  ANY     MX

;; ANSWER SECTION:

;; AUTHORITY SECTION:
.       86400   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. (
	2006072801 1800 900 604800 86400)

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; WHEN: Wed Aug 23 13:58:51 2006
;; MSG SIZE  rcvd: 103
\end{verbatim}
\normalsize

Answer from NSD 3:

\footnotesize
\begin{verbatim}
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 13328
;; flags: qr ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; nslabs.ruo.  ANY     MX

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; WHEN: Wed Aug 23 13:58:51 2006
;; MSG SIZE  rcvd: 28
\end{verbatim}
\normalsize

\vspace{-8pt}\subparagraph{Analysis:}

Feature of BIND where it answers authoritatively for CLASS ANY 
nxdomain queries.


\subsubsection{b-badquery-badanswer - BIND replies with bad answer for
                            some bad queries}
\label{b-badquery-badanswer}

BIND replies with an answer packet that cannot be parsed, or does
not answer at all. NSD always generates
an answer, with the appropriate RCODE (mostly NOTIMPL and FORMERR, but
also NXDOMAIN to NOTIFY queries). All these queries are malformed in 
some way. 

A (very simple) example of a query without an answer
is a query packet of 18 zero bytes. For some queries no answer
only happens when BIND is presented with a trace of queries, not for 
a single query.

\vspace{-8pt}\subparagraph{Analysis:}

BIND includes (part of) the unparseable question into the answer, or
some internal state of BIND is affected by earlier queries. 

NSD manages to answer the malformed query. Note that NSD does not answer 
queries that are too short, or that have the QR bit set. NSD tries to be
as liberal in what it accepts as possible.


\subsection{Functionality Differences}
\label{sec:funcdiff}

The next group of differences are due to the fact that NSD does not
implement some functionality that is requested by resolvers.  This 
is a design choice and should not cause resolver problems at all,
since responses to those requests are within protocol specs.


\subsubsection{d-notify - different NOTIFY errors}
\label{d-notify}

BIND and NSD give different errors for notify queries. The servers are started 
without any configuration for access control on notify. For notify messages 
aimed at a zone that is served, BIND 9.3.2 returns a NOERROR answer, and 
NSD 3 returns NOTAUTH. For notify messages on a zone that is not served 
(in-addr.arpa.) BIND 9.3.2 returns NOTAUTH and NSD 3 returns NXDOMAIN.

\vspace{-8pt}\subparagraph{Analysis:}

Default configuration differs between the two packages. NSD is more strict.
Error codes are different, the tools that send notifies are not affected.


\subsubsection{n-update - NSD does not implement dynamic update}
\label{n-update}

For UPDATE, you can get either REFUSED/NXRRSET/other RCODE from BIND 9.3.2 or 
NOTIMPL from nsd3.

\vspace{-8pt}\subparagraph{Analysis:}

NSD does not implement dynamic update. 


\subsubsection{b-mailb - BIND does not implement MAILB}
\label{b-mailb}

For MAILB, you can get either NOTIMPL(BIND 9) or NOERROR/NXDOMAIN(NSD 3).

\vspace{-8pt}\subparagraph{Analysis:}

BIND does not implement queries for the MAILB type. NSD treats it as 
one of the RRTYPEs. MAILB is obsoleted by RFCs, the MX type is 
used to transfer mail information now.


\subsubsection{d-version - BIND returns servfail on version.server queries}
\label{d-version}

NSD returns version.server query, BIND returns servfail.

\vspace{-8pt}\subparagraph{Analysis:}

Both NSD and BIND return version.bind queries of the chaos class.
These queries differ in the version number they return, of course.
BIND does not return version.server queries. This is a design decision
on the part of NSD to return version.server queries with the same answer.


\subsubsection{d-additional - Different additional section on truncated answers}
\label{d-additional}

NSD and BIND return different additional sections on truncated answers
to queries from the root. These answers are 480+ bytes long.

\vspace{-8pt}\subparagraph{Analysis:}

Not all the A and AAAA data fits into the additional section of the answer.
BIND includes different names than NSD does, and BIND is observed to sometimes
include one more AAAA record, less A records in the additional section.
Resolvers should be unaffected.


\subsubsection{d-refusedquery - BIND includes query section in REFUSED answers}
\label{d-refusedquery}

BIND includes the query sent for REFUSED answers. NSD replies with only
the DNS header section.

\vspace{-8pt}\subparagraph{Analysis:}

The resolver must inspect the query ID. The error code provides sufficient
information. Sending the header makes NSD replies smaller and thus more 
resilient to DoS attacks.


\subsubsection{d-hostname - BIND adds a NS record for hostname.bind}
\label{d-hostname}

BIND includes an additional RR in the authority section of the reply:
\footnotesize
\begin{verbatim}
hostname.bind. 0 CH NS hostname.bind.
\end{verbatim}
\normalsize

\vspace{-8pt}\subparagraph{Analysis:}

The RR seems useless. NSD does not include it.


\subsubsection{n-ixfr-notimpl - NSD does not implement IXFR}
\label{n-ixfr-notimpl}

To queries for IXFR BIND responds with a valid answer (the latest SOA)
and NSD responds with NOTIMPL error.

\vspace{-8pt}\subparagraph{Analysis:}

NSD 3.0.0 does not implement IXFR. It returns NOTIMPL by design.


\subsubsection{d-formerrquery - BIND includes query section in FORMERR answers}
\label{d-formerrquery}

BIND includes the query sent for FORMERR answers. NSD replies with only
the DNS header section. For some queries, NSD includes an EDNS record in 
the reply if there was a recognizable EDNS record in the query.

\vspace{-8pt}\subparagraph{Analysis:}

The resolver must inspect the query ID. The error code provides sufficient
information. Sending the header makes NSD replies smaller and thus more 
resilient to DoS attacks.


\subsubsection{d-badqueryflags - BIND includes query section in FORMERR answers}
\label{d-badqueryflags}

BIND includes the query section in reply to unparseable queries. NSD does not.

\vspace{-8pt}\subparagraph{Analysis:}

Same as d-formerrquery (\ref{d-formerrquery}), but the implementation of the comparison 
software could not parse the query either, thus a separate label.


\subsubsection{d-unknown-class - BIND includes query section in answers to unknown class}
\label{d-unknown-class}

For queries with an unknown class in the query, BIND includes the query section
in the answer. NSD does not.

\vspace{-8pt}\subparagraph{Analysis:}

Same as d-formerrquery (\ref{d-formerrquery}), but for a different error.


\subsubsection{d-unknown-opcode - NSD returns NOTIMPL for unknown opcode}
\label{d-unknown-opcode}

For queries that are bad packets, with malformed RRs, with an unknown opcode,
BIND returns a FORMERR, but NSD gives up after checking the opcode and
returns NOTIMPL.  NSD copies the flags from the query, and turns on the 
QR (query response) bit, BIND zeroes some of the flags.

\vspace{-8pt}\subparagraph{Analysis:}

NOTIMPL is appropriate since NSD does not implement whatever functionality
is being looked for. 


\subsubsection{b-upwards-ref - BIND returns root delegation}
\label{b-upwards-ref}

For queries to a domain that is not served, which can only have arrived at
this server due to a lame delegation, BIND returns a root delegation. NSD
returns SERVFAIL.

\vspace{-8pt}\subparagraph{Analysis:}

By design, NSD does not know the root-servers.  NSD is unable to reply as
the zone is not configured, hence the SERVFAIL. This is also discussed in
the REQUIREMENTS document for NSD.


\subsubsection{b-noglue-nsquery - BIND returns no glue for NS queries}
\label{b-noglue-nsquery}

For queries for the NS records of the zone, BIND does not include glue
for the NS records. NSD includes glue for the NS servers that lie within
the zone.

\vspace{-8pt}\subparagraph{Analysis:}

The glue saves a followup query.


\subsubsection{d-noquestion - different error on no question}
\label{d-noquestion}

For queries without a question section the error code differs.
NSD considers it a FORMERR. BIND returns REFUSED.

\vspace{-8pt}\subparagraph{Analysis:}

Error code not specified for this corner case. No problems for resolvers.


\subsubsection{b-uchar - BIND returns FORMERR on strange characters}
\label{b-uchar}

BIND returns FORMERR on strange characters in the query, such as
0x00, 0xff, 0xe4, 0x20, 0x40 and so on.

\vspace{-8pt}\subparagraph{Analysis:}

NSD does not give a formerr on these queries, it processes them.
NSD normalizes names to lower case. Otherwise leaves them untouched.
BIND preserves case in answers. Choice made in REQUIREMENTS for NSD,
also see RFC1035\cite{rfc1035} 2.3.3.


\section{Response differences between NSD 2.3.6 and NSD 3.0.0}

The differences between NSD 2.3.6 and NSD 3.0.0 are listed below. All are due
to version number changes and new features in NSD 3.


\subsection{Comparison of responses in root trace}

Differences between NSD 2.3.6 and NSD 3.0.0 for a root trace.
Note that apart from the 26 packets that are different, all responses are
binary the same on the wire between the two versions of NSD.

\begin{tabular}{lrr}
{\em difference}			& {\em packets} & {\em \%diff}	\\
n-notify (\ref{n-notify})               & 19 &  73.08\% \\
n-ixfr (\ref{n-ixfr})                   & 3 &  11.54\% \\
version.bind (\ref{nsd-version})       & 3 & 11.54\% \\
version.server (\ref{nsd-version})   & 1  &  3.85\% \\
Total number of differences:            & 26 &  100\% \\
Number of packets the same after normalization:&2244590 \\
Number of packets exactly the same on the wire:&2244590 \\
Total number of packets inspected:             &2244616 \\
\end{tabular}


\subsection{Comparison of responses in NL TLD trace}

Differences between NSD 2.3.6 and NSD 3.0.0 for a nl. trace.
Note that apart from the 311 packets that are different, all responses are
binary the same on the wire between the two versions of NSD.

\begin{tabular}{lrr}
{\em difference}			& {\em packets} & {\em \%diff}	\\
n-notify (\ref{n-notify}) 		& 289 & 92.93\% \\
version.bind (\ref{nsd-version}) 	& 22  & 7.07\% \\
Total number of differences: 			   & 311 	& 100\% \\
Number of packets the same after normalization:& 99689 \\
Number of packets exactly the same on the wire:& 99689 \\
Total number of packets inspected: 	&100000 \\
\end{tabular}


\subsection{Version number - version.bind and version.server}
\label{nsd-version}

To queries for version.bind and version.server the different implementations
return a different version number, as they should.

\vspace{-8pt}\subparagraph{Analysis:}

Expected. Correct version numbers are returned.


\subsection{n-notify - notify not implemented in NSD 2}
\label{n-notify}

Notifications are handled differently. NSD 2 returns NOTIMPL error code,
while NSD 3 returns NOTAUTH or NXDOMAIN error codes.

\vspace{-8pt}\subparagraph{Analysis:}

Default config denies all notify queries for NSD 3. These answers are correct
for non-existing and not authorized domains.


\subsection{n-ixfr - IXFR error FORMERR in NSD 2}
\label{n-ixfr}

To IXFR query questions different error codes are given. The NSD 2
gives FORMERR (due to the RR in the authority section). NSD 3 returns
NOTIMPL. 

\vspace{-8pt}\subparagraph{Analysis:}

Neither version of NSD implements IXFR. It is more appropriate to
return the NOTIMPL error code in that case. Bugfix in NSD.


\section{Response differences between BIND 8 and NSD 3.0.0}

In this section the response differences between BIND 8.4.7 and NSD 3.0.0
are categorized and analyzed. 


\subsection{Comparison of responses in root trace}

The differences between BIND 8.4.7 and NSD 3.0.0 when presented
with queries for the root zone are below.

\begin{tabular}{lrr}
{\em difference}			& {\em packets} & {\em \%diff}	\\
n-clrcdbit (\ref{n-clrcdbit})	&         516372 &84.39\% \\
d-hostname (\ref{d-hostname})	&         53431  &8.73\% \\
d-additional (\ref{d-additional})	& 32526  &5.32\% \\
b8-nodata-ttlminup (\ref{b8-nodata-ttlminup})	& 4611  &0.75\% \\
n-update (\ref{n-update})	&         1856  &0.30\% \\
d-version (\ref{d-version})	&         1033  &0.17\% \\
b8-auth-any (\ref{b8-auth-any})	&         519  &0.08\% \\
b8-badedns0 (\ref{b8-badedns0})	&         492  &0.08\% \\
d-unknown-class (\ref{d-unknown-class})	& 482  &0.08\% \\
b-badquery-badanswer (\ref{b-badquery-badanswer})	& 451  &0.07\% \\
b-class0 (\ref{b-class0})	&         97  &0.02\% \\
d-notify (\ref{d-notify})	&         18  &0.00\% \\
b8-ignore-tc-query (\ref{b8-ignore-tc-query})	& 6  &0.00\% \\
b8-badquery-ignored (\ref{b8-badquery-ignored})	& 4  &0.00\% \\
n-ixfr-notimpl (\ref{n-ixfr-notimpl})	& 3  &0.00\% \\
b-soattl (\ref{b-soattl})	&         1  &0.00\% \\
Total number of differences: 		&	 611902	&100\% \\
Number of packets the same after normalization:&1632714 \\
Number of packets exactly the same on the wire:&   2299 \\
Total number of packets inspected: 	       &2244616 \\
\end{tabular}


\subsection{Comparison of responses in NL TLD trace}

The differences between BIND 8.4.7 and NSD 3.0.0 when presented
with queries for the .nl zone are below.

\begin{tabular}{lrr}
{\em difference}			& {\em packets} & {\em \%diff}	\\
n-clrcdbit        (\ref{n-clrcdbit})         &           2857        &33.53\% \\
d-unknown-opcode  (\ref{d-unknown-opcode})   &           2692        &31.59\% \\
n-update          (\ref{n-update})           &           1283        &15.06\% \\
d-badqueryflags   (\ref{d-badqueryflags})    &            841        &9.87\% \\
d-hostname        (\ref{d-hostname})         &            531        &6.23\% \\
d-notify          (\ref{d-notify})           &            293        &3.44\% \\
d-version         (\ref{d-version})          &             22        &0.26\% \\
b-badquery-badanswer (\ref{b-badquery-badanswer}) &         1        &0.01\% \\
b8-badedns0          (\ref{b8-badedns0})     &              1        &0.01\% \\
Total number of differences: &8521 &100\% \\
Number of packets the same after normalization:&91479 \\
Number of packets exactly the same on the wire:&90837 \\
Total number of packets inspected:&100000 \\
\end{tabular}


\subsection{b8-nodata-ttlminup - BIND 8 uses minimum TTL from SOA also if bigger}
\label{b8-nodata-ttlminup}

For NXDOMAIN queries in root-servers.net BIND 8 uses the minimum TTL from
the SOA as the TTL of the included SOA RR. However, this minimum TTL is 
larger than the original TTL of the SOA, both NSD 2.3.6, NSD 3 and BIND 9
use the smaller of those two values as the TTL of the included SOA.

\vspace{-8pt}\subparagraph{Analysis:}

Bug in BIND 8 solved in BIND 9.


\subsection{b8-badquery-ignored - BIND 8 replies normally for some bad queries}
\label{b8-badquery-ignored}

BIND8 manages to reply for malformed queries. NSD replies with FORMERR.

\vspace{-8pt}\subparagraph{Analysis:}

The query is bad, formerr is needed. Fixed in BIND9.


\subsection{b8-badedns0 - BIND 8 ignores bad EDNS0 queries}
\label{b8-badedns0}

BIND 8 ignores queries with bad EDNS0 section. It answers the query.
NSD replies with FORMERR.

\vspace{-8pt}\subparagraph{Analysis:}

BIND8 is more liberal in accepting broken EDNS0 records. NSD is not.
Changed in BIND 9.


\subsection{b8-auth-any - BIND 8 includes an authority section on queries for ANY .}
\label{b8-auth-any}

BIND8 includes an authority section on queries for class ANY .
BIND9 and NSD return an empty authority section.

\vspace{-8pt}\subparagraph{Analysis:}

Fixed in BIND9.


\subsection{b8-ignore-tc-query - BIND 8 ignores the TC bit in queries}
\label{b8-ignore-tc-query}

BIND responds to queries that have the TC bit set. NSD gives FORMERR.

\vspace{-8pt}\subparagraph{Analysis:}

This is like the n-tcinquery (\ref{n-tcinquery}), except where BIND9 returns NXDOMAIN,
BIND8 returns the query with qr bit set. This is fixed in BIND9.
NSD is less liberal in accepting queries, it returns form error on queries with
the TC bit set.

\bibliographystyle{nlnetlabs}
\bibliography{allbib}

\end{document}