RFC 2317 Delegation Problems
Kevin Darcy
kcd at daimlerchrysler.com
Wed Jun 23 00:43:10 UTC 2004
Stephen Carville wrote:
>I just got one of my ISP's to delegate 209.189.102.192/27 to my DNS servers
>by setting up CNAME records eg:
>
>200.103.198.209.in-addr-arpa. CNAME 200.192.103.198.209.in-addr-arpa.
>
>and delegated the zone 192.103.198.209.in-addr-arpa to my servers.
>
>If I got to an outside server and try
>
>$ dig -x 209.189.103.200 +trace
>
>; <<>> DiG 9.2.2-P3 <<>> -x 209.189.103.200 +trace
>;; global options: printcmd
>. 514079 IN NS K.ROOT-SERVERS.NET.
>. 514079 IN NS L.ROOT-SERVERS.NET.
>. 514079 IN NS M.ROOT-SERVERS.NET.
>. 514079 IN NS A.ROOT-SERVERS.NET.
>. 514079 IN NS B.ROOT-SERVERS.NET.
>. 514079 IN NS C.ROOT-SERVERS.NET.
>. 514079 IN NS D.ROOT-SERVERS.NET.
>. 514079 IN NS E.ROOT-SERVERS.NET.
>. 514079 IN NS F.ROOT-SERVERS.NET.
>. 514079 IN NS G.ROOT-SERVERS.NET.
>. 514079 IN NS H.ROOT-SERVERS.NET.
>. 514079 IN NS I.ROOT-SERVERS.NET.
>. 514079 IN NS J.ROOT-SERVERS.NET.
>;; Received 436 bytes from 192.168.1.1#53(192.168.1.1) in 2 ms
>
>209.in-addr.arpa. 86400 IN NS chia.arin.net.
>209.in-addr.arpa. 86400 IN NS dill.arin.net.
>209.in-addr.arpa. 86400 IN NS henna.arin.net.
>209.in-addr.arpa. 86400 IN NS indigo.arin.net.
>209.in-addr.arpa. 86400 IN NS epazote.arin.net.
>209.in-addr.arpa. 86400 IN NS figwort.arin.net.
>209.in-addr.arpa. 86400 IN NS ginseng.arin.net.
>;; Received 199 bytes from 193.0.14.129#53(K.ROOT-SERVERS.NET) in 182 ms
>
>103.189.209.in-addr.arpa. 86400 IN NS ns0.verio.net.
>103.189.209.in-addr.arpa. 86400 IN NS ns1.verio.net.
>103.189.209.in-addr.arpa. 86400 IN NS ns2.verio.net.
>103.189.209.in-addr.arpa. 86400 IN NS ns3.verio.net.
>103.189.209.in-addr.arpa. 86400 IN NS ns4.verio.net.
>;; Received 145 bytes from 192.5.6.32#53(chia.arin.net) in 115 ms
>
>200.103.189.209.in-addr.arpa. 14400 IN NS t.ns.verio.net.
>200.103.189.209.in-addr.arpa. 14400 IN NS b.ns.verio.net.
>;; Received 122 bytes from 129.250.15.61#53(ns0.verio.net) in 71 ms
>
>200.103.189.209.in-addr.arpa. 86400 IN CNAME
>200.192.103.189.209.in-addr.arpa.
>192.103.189.209.in-addr.arpa. 86400 IN NS dns.totalflood.com.
>192.103.189.209.in-addr.arpa. 86400 IN NS dns2.totalflood.com.
>;; Received 151 bytes from 129.250.35.32#53(b.ns.verio.net) in 71 ms
>
>That looks right to me
>
No, that's not right at all. Looks like the ns*.verio.net servers are
delegating each entry under 103.189.209.in-addr.arpa (including the
192.103.189.209.in-addr.arpa entry!) as a separate zone to
t.ns.verio.net and b.ns.verio.net, but those nameservers have CNAMEs for
most of those names, and, of course, a delegation of
192.103.189.209.in-addr.arpa to your nameservers. A resolver following
the delegations down will first see, say, 200.103.189.209.in-addr.arpa
as a delegated zone, then as a CNAME, two results that are incompatible
with each other. It'll also see 192.103.189.209.in-addr.arpa delegated
*twice* along the chain, kind of a "sideways" delegation. Either of
these anomalies could trip up the resolver and cause a SERVFAIL.
Verio should either delegate the whole 103.289.209.in-addr.arpa zone to
t.ns.verio.net and b.ns.verio.net, or you need to get them to replace
those per-name delegations in the ns*.verio.net nameservers with a
sub-delegation (in the case of 192.103.289.209.in-addr.arpa) and CNAMEs
to your entries instead.
- Kevin
P.S. Why do I vaguely remember these NS'es? I think this Verio bogosity
goes *way* back...
More information about the bind-users
mailing list