[nsd-users] Records below delegation point

Shane Kerr shane at ca.afilias.info
Tue Mar 10 12:43:19 UTC 2009 

Matthijs,

FYI, this issue came up when I was working at ISC. I think BIND will
actually warn you when it loads such a zone (I'm not 100% sure, but turn
up logging and check if you want to test).

The specific question we discussed was whether or not something should
be logged when a part of a zone becomes obscured at runtime, either by
the system administrator changing zone file contents and reloading, or
by something like dynamic DNS or [AI]XFR. I am pretty sure my suggestion
that administrators be warned when this happens was ignored, because
BIND has an *implicit* no end-user friendliness requirement. ;)

--
Shane

On Tue, 2009-03-10 at 11:27 +0100, Matthijs Mekking wrote:
> Hi Anand,
> 
> The way I read it is that zone.tld. is delegating the subdomains child
> and sub.child. According to RFC 1034, only NS RRsets may appear at the
> parental side of a zone cut. RFC 2181 clarifies that no data below the
> zone cut may appear at the parental side.
> 
> The behavior of what to do with such a zone is undefined. NSD considers
> this an operator error. Because of the explicit no end-user friendliness
> requirement, NSD has not built in a detailed zone garbage detection.
> As the result of the operator error, NSD behaves incorrectly.
> 
> Kind regards,
> 
> Matthijs Mekking
> NLnet Labs
> 
> Anand Buddhdev wrote:
> > I have a question for the NSD developers. I have a zone defined as follows:
> > 
> > $ORIGIN zone.tld.
> > @	IN	SOA ns1 rname 20090309 1d 1h 4w 1h
> > 	IN	NS ns1
> > 	IN	NS ns2
> > ;
> > child	IN	NS foo.example.
> > 	IN	NS bar.example.
> > ;
> > sub.child	IN	NS some.more
> > 		IN	NS yet.more
> > 
> > If I query an NSD 3.x server for NS records for sub.child.zone.tld, I
> > get back an authoritative answer with "some.more." and "yet.more.".
> > 
> > Just for comparison, tinydns does the same thing.
> > 
> > However, BIND 9 responds with "foo.example." and "bar.example.".
> > 
> > My understanding is that an authoritative name server should not know
> > about records below a delegation point, so BIND's behaviour seems okay.
> > Why does NSD respond with answers for records below the delegation point?
> > 
> > Is there a standard which defines what an authoritative server should do
> >  with a zone like this?
> > 
> > At the moment, BIND and NSD exhibit opposite behaviour, which could lead
> > to interesting situations where a particular zone has such a delegation,
> > and a mix of BIND and NSD among its name server set.
> > 
> 
> 
> _______________________________________________
> nsd-users mailing list
> nsd-users at NLnetLabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users

More information about the nsd-users mailing list