Name

DNSR-734 — Irrelevant additional record found

Severity

D (debug), A (alert)

Message text

%s #%d name (%s) does not match any RR

Description

Resource record (RR) of printed type and order (additional record) has name that does not appear at the right side of any previous RR. This inconsistency can be an exposure of a cache poisoning attack. By default, the whole answer is ignored and next server is tried. This is the case of an A-level message.

This behavior can be changed for particular domains by the IGNORE-VOID-RR item in proper REQUEST-ACLs. However, select carefully the domains that really needed this feature (i.e. because servers of some domain send more nameserver records in additional section than in authority one). When this function is switched on, the D-level message reports occurence of the inconsistency.

See also

DNSE-790(6), DNSE-791(6), logging(7)

Authors

This man page is a part of Kernun Firewall.
Copyright © 2000–2023 Trusted Network Solutions, a. s.
All rights reserved.