--> ]> Internet Systems Consortium

PO Box 360 Newmarket NH 03857 US marka@isc.org

The DNS uses glue records to allow iterative clients to find the addresses of nameservers that live within the delegated zone. Glue records are expected to be returned as part of a referral and if they cannot be fitted into the UDP response, TC=1 MUST be set to inform the client that the response is incomplete and that TCP SHOULD be used to retrieve the full response.

The DNS , uses glue records to allow iterative clients to find the addresses of nameservers that live within the delegated zone. Glue records are expected to be returned as part of a referral and if they cannot be fitted into the UDP response, TC=1 MUST be set to inform the client that the response is incomplete and that TCP SHOULD be used to retrieve the full response. While not common real life examples servers that fail to set TC=1 when glue records are available exist and they do cause resolution failures. The example below shows a case where none of the glue records fitted into the available space and TC=1 was not set in the response. While this example show an DNSSEC , , referral response, this behaviour has also been seen with plain DNS responses as well. The records have been truncated for display purposes.

% dig +norec +dnssec +bufsize=512 +ignore @a.gov-servers.net \ rh202ns2.355.dhhs.gov ; <<>> DiG 9.15.4 <<>> +norec +dnssec +bufsize +ignore \ @a.gov-servers.net rh202ns2.355.dhhs.gov ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8798 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;rh202ns2.355.dhhs.gov. IN A ;; AUTHORITY SECTION: dhhs.gov. 86400 IN NS rh120ns2.368.dhhs.gov. dhhs.gov. 86400 IN NS rh202ns2.355.dhhs.gov. dhhs.gov. 86400 IN NS rh120ns1.368.dhhs.gov. dhhs.gov. 86400 IN NS rh202ns1.355.dhhs.gov. dhhs.gov. 3600 IN DS 51937 8 1 ... dhhs.gov. 3600 IN DS 635 8 2 ... dhhs.gov. 3600 IN DS 51937 8 2 ... dhhs.gov. 3600 IN DS 635 8 1 ... dhhs.gov. 3600 IN RRSIG DS 8 2 3600 ... ;; Query time: 226 msec ;; SERVER: 69.36.157.30#53(69.36.157.30) ;; WHEN: Wed Apr 15 13:34:43 AEST 2020 ;; MSG SIZE rcvd: 500 %

This is almost certainly due a wide spread misbelief that all additional section records are optional. This has never been the case with respect to glue records and later protocol extension have added more cases where records in the additional section are not optional in the response. This includes TSIG , OPT , and SIG(0) . Glue records are added to the parent zone as part of the delegation process. They are expected to be returned as part of a referral and if they can't fit in a UDP response TC=1 MUST be set to signal to the client to retry over TCP. This document reinforces that expectation.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in .

Replace "Copy the NS RRs for the subzone into the authority section of the reply. Put whatever addresses are available into the additional section, using glue RRs if the addresses are not available from authoritative data or the cache. Go to step 4." with "Copy the NS RRs for the subzone into the authority section of the reply. Put whatever addresses are available into the additional section, using glue RRs if the addresses are not available from authoritative data or the cache. If glue RRs do not fit set TC=1 in the header. Go to step 4."

This document reinforces DNS server behaviour expectations and does not introduce new security considerations.

There are no actions for IANA.

&rfc1034; &rfc1035; &rfc2119; &rfc2845; &rfc2931; &rfc4033; &rfc4034; &rfc4035; &rfc6891;