Conflicting glue records?
Matthew Pounsett
matt at conundrum.com
Thu Jan 8 15:10:53 UTC 2009
On 08-Jan-2009, at 03:41 , Dawn Connelly wrote:
> Right, but his question was regarding the host record for the name
> server. You tell the registrar the name and IP address of the name
> servers that are authoritative for the domain. The registrar then
> pushes those glue records to the root servers. Root doesn't care what
> the name and/or IP address of the name servers are. They are unrelated
> across domains. There isn't any cross domain verification. If you say
> that the FQDN and IP address of the authoritative name server is
> something, the registrar believes you and tells root. Root believes
> the registrar. The registrar and root don't do a lookup on the FQDN of
> the name server that is provided- hence it being called a glue record.
> You have to manually enter that data. At least that has been the case
> with ever registrar I've dealt with.
Again, this is quite wrong, on several points.
Host records for his domain don't go into the root unless he's
managing a TLD.. and if that's the case he's not dealing with a
registrar.
Whether or not the registrar or the registry do a lookup on the host
records being supplied is irrelevant to why the entry in the DNS is
called glue. In cases where a nameserver is a subdomain of the domain
it is authoritative for, delegations can't happen without the parent
zone supplying an IP address... without the address being supplied by
the parent zone you'd have a catch-22 in the resolution process.
Supplying that IP address "glues" the two zones together.. hence the
name.
And finally to the poster's original question..
This is actually more of an issues of registr operations and/or EPP,
rather than DNS. According to the EPP spec only the registrar
sponsoring the domain can register host records within it. So, to
borrow from someone else's example, only the domain holder for
apple.com can register the host records ns1.apple.com and
ns2.apple.com. The orange.com registrant can't create a host record
for ns1.apple.com and register an IP address with it. The registrar
*may* accept this data from the registrant anyway, but it shouldn't
(according to the spec) be passed on to the registry. I suppose the
registry could also accept it from the registrar (though in the case
of .com I doubt this violation is occurring) but it shouldn't be
published into the DNS. Only the host records registered by the
apple.com domain holder should wind up there.
Matt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090108/fde8a694/attachment.bin>
More information about the bind-users
mailing list