## page was renamed from DNS/用語/messages ## page was renamed from DNS/messages == DNS/messages == <> DNS問合せ(queries)と返答(responses)に使用されるメッセージの形式など [[DNS/RFC/1035/4]] [[../queries]] と [[../response]] とに共通する形式である。 返答にいろいろ返してくるサーバーもあれば、[[/minimal_responses]]するサーバもある。 https://isc.sans.edu/diary/When+attackers+use+your+DNS+to+check+for+the+sites+you+are+visiting/16955 == RFC 1034 four sections == {{{ The four sections are: Question Carries the query name and other query parameters. Answer Carries RRs which directly answer the query. Authority Carries RRs which describe other authoritative servers. May optionally carry the SOA RR for the authoritative data in the answer section. Additional Carries RRs which may be helpful in using the RRs in the other sections. }}} 4.3.1. Queries and responses 4.3.2. Algorithm 3. Start matching down, label by label, in the zone. The matching process can terminate several ways: referral を返す場合: {{{ b. If a match would take us out of the authoritative data, we have a referral. This happens when we encounter a node with NS RRs marking cuts along the bottom of a zone. Copy the NS RRs for the subzone into the authority section of the reply. Put whatever addresses are available into the additional section, using glue RRs if the addresses are not available from authoritative data or the cache. Go to step 4. }}} CNAMEでない返答(match): {{{ Otherwise, copy all RRs which match QTYPE into the answer section and go to step 6. }}} {{{ 6. Using local data only, attempt to add other RRs which may be useful to the additional section of the query. Exit. }}} ここの記述が気になる。(Authority SectionにNSを入れる起源か) {{{ 4. Start matching down in the cache. If QNAME is found in the cache, copy all RRs attached to it that match QTYPE into the answer section. If there was no delegation from authoritative data, look for the best one from the cache, and put it in the authority section. Go to step 6. }}} Authoritative Serverからの返事に空でないAnswer Sectionが含まれているときに、 Authority SectionにNSを付けてくる動作をすることの根拠がわからない。(tssの「移転インジェクション」のためw) RFC1034ではDNSゾーンサーバの移転時の問題を 分かっていたとは思えないので、 言及されていなくとも不思議はない。(どこかで、この動作を作りこんだのだろう) それをRFC2181で正当化したということか。 https://lists.nic.cz/pipermail/knot-dns-users/2015-September/000710.html