Everybody Resolves this Domain but Us.
Pete Ehlke
pde at ehlke.net
Tue Jul 23 13:53:31 UTC 2002
On Mon, Jul 22, 2002 at 09:05:37AM -0400, Chris Davis wrote:
>
> I'm not suggesting that each NS be verified as valid and reachable. That
> would indeed be way too much to do. I am suggesting only that each NS RDATA
> in a zone be checked as "not having a definitely invalid TLD." If the NS
> RDATA is *potentially* resolvable, then it is accepted. If there is
> absolutely no potential to resolve the NS RDATA, the zone should fail to
> load.
[snip]
> A registrar foulup won't make your NS RDATA's TLDs inaccessible. Registrars
> and their problems are outside the scope of the idea. It's a TLD existence
> check only.
>
> And if the TLDs are completely wacked and telling you your correct TLDs
> don't exist when you're loading your zone?
>
> Yes, in that case, some poor dns operator(s) would get confused as to what's
> going on, along with everyone else operating DNS at that time. If the TLDs
$TTL 1D
sonymusic.com. IN SOA ns1.sonymusic.com. root.ns1.sonymusic.com. (
2002071400 ;serial
3H ;refresh
15M ;retry
1W ;expire
1H ) ;ncache
IN NS ns1.sonymusic.com.
IN NS ns2.sonymusic.com.
IN NS ns.sonymusic.fr.
Imagine that fr. disappears (Don't say 'that will never happen'; it
has.). Or add four more NS records, all in different cctlds, and imagine
any one of them failing. Now explain to me why the zone, which would
function for the vast majority of the internet under current
circumstances, should refuse to load and thus not function *AT ALL*.
I've taken a phone call from Tommy Mottola's personal assistant when he
lost critical email from Clive Davis and one of my systems was
responsible. Is that a call *you* want to take?
Jim is right. By all means, take whatever measures you deem appropriate
to validate your zone files before you push them to your production
servers. But those checks do *not* belong inside named, whose function
is to serve the data you give it.
-Pete
More information about the bind-users
mailing list