Odd/Incorrect delegation?

Tue Aug 17 22:19:20 UTC 2004

>When trying to resolve the name, pk-concept.de, sometimes it fails and 
>sometimes it succeeds. When tracing the delegation of this name, it looks 
>wrong to me, or there's something I really don't understand.

dig pk-concept.de +trace

; <<>> DiG 9.2.3 <<>> pk-concept.de +trace
;; global options:  printcmd
.                       15368   IN      NS      a.root-servers.net.
.                       15368   IN      NS      b.root-servers.net.
.                       15368   IN      NS      c.root-servers.net.
.                       15368   IN      NS      d.root-servers.net.
.                       15368   IN      NS      e.root-servers.net.
.                       15368   IN      NS      f.root-servers.net.
.                       15368   IN      NS      g.root-servers.net.
.                       15368   IN      NS      h.root-servers.net.
.                       15368   IN      NS      i.root-servers.net.
.                       15368   IN      NS      j.root-servers.net.
.                       15368   IN      NS      k.root-servers.net.
.                       15368   IN      NS      l.root-servers.net.
.                       15368   IN      NS      m.root-servers.net.
;; Received 433 bytes from 209.246.239.50#53(209.246.239.50) in 2 ms

de.                     172800  IN      NS      A.NIC.de.
de.                     172800  IN      NS      E.NIC.de.
de.                     172800  IN      NS      F.NIC.de.
de.                     172800  IN      NS      K.NIC.de.
de.                     172800  IN      NS      J.NIC.de.
de.                     172800  IN      NS      H.NIC.de.
de.                     172800  IN      NS      C.DE.NET.
de.                     172800  IN      NS      D.DE.NET.
de.                     172800  IN      NS      G.DE.NET.
de.                     172800  IN      NS      I.DE.NET.
de.                     172800  IN      NS      B.DE.NET.
;; Received 421 bytes from 198.41.0.4#53(a.root-servers.net) in 78 ms

pk-concept.de.          86400   IN      NS      ns1.pri-dns.de.
pk-concept.de.          86400   IN      NS      ns1.sec-dns.de.
;; Received 83 bytes from 193.171.255.34#53(E.NIC.de) in 173 ms

pk-concept.de.          86400   IN      A       62.146.145.131
pk-concept.de.          86400   IN      NS      ns1.sec-dns.de.
pk-concept.de.          86400   IN      NS      ns1.pri-dns.de.
;; Received 131 bytes from 212.123.96.100#53(ns1.pri-dns.de) in 163 ms

>'root' delegates to the *.de TLDs. The *.de TLDs delegate to 
>ns1.pri-dns.de and ns1.sec-dns.de, however no A records get returned for 
>these NS records.

agreed:

# dig @e.NIC.de ns1.pri-dns.de. any

; <<>> DiG 9.2.3 <<>> @e.NIC.de ns1.pri-dns.de. any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56032
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;ns1.pri-dns.de.                        IN      ANY

;; AUTHORITY SECTION:
pri-dns.de.             86400   IN      NS      ns0.ns0.de.
pri-dns.de.             86400   IN      NS      ns2.ns2.de.

>That seems like error number 1. Shouldn't NS records always have glue A 
>records?

no.  when the delegated NS's tld is not the same tld as the NS of the 
parent zone, then the glue records will be missing, so the querier obtains 
the only the delegation record ns1.auth.com from .de ( .de parent and 
delegated NS .com), and then has to query again obtain the A/glue record 
for  ns1.auth.com.

However, the above is not your case, so the NS auth for the .de parent 
should have the glue records for the registered hosts ns1.pri-dns.de. and 
ns1.sec-dns.de.  ( .de parent and delegated NS also .de)

Len

_____________________________________________________________________
http://IMGate.MEIway.com : free anti-spam gateway, runs on 1000's of sites