Cannot Delete Glue record
Kevin Darcy
kcd at chrysler.com
Wed May 13 16:59:32 UTC 2009
Luke Hopkins wrote:
> I have a glue (nameserver host) record which hasn't been used in years and I want to delete it (and ultimately re-use the name). Attempting a delete through UKreg (Fasthosts) gives me this:
>
> Error: NameServerHosts Delete (Nameserver deletion failed at registry: 420 Object association prohibits operation.)
>
> I cannot find any way to check what domains are attached to it, and UKreg support are unable to help (check manually was their answer).
>
> We don't have that many domains, so I've checked them all manually, both the zone files and what the registrar has listed as authoritive, but this glue record isn't used by us.
>
> Is there a way/tool which can check what domains are attached to a glue record.
>
> For reference, the name is ns0.broadbean.net
>
>
They should be able to look into the registry database to find this.
It might be very difficult for you, as a customer, to ascertain, outside
of the DNS protocol itself, what domain(s) might be delegated to that
name. If your registry is lax about checking such things, it's
conceivable that someone has delegated their domain(s) to your
nameserver without your consent, in order to meet a 2-nameserver
delegation requirement, while only actually having a single
authoritative nameserver hosting the zone. In that scenario, if you have
everything in a single "view", and open access to the cache, and with
open recursion (or one of your "trusted" recursive clients went rogue),
they might even be able to "poke" your nameserver periodically, in order
to populate your cache with desired records, and thus leech off your
resolution services. That's another reason why it's recommended to
either a) strictly limit access to your cache (later versions of BIND do
this more conveniently and by default), or b) have separate views for
recursive and non-recursive (hosting) service.
But I digress...
One investigative approach would be to point that name at a valid
address in your Internet-facing range, and record -- by using a sniffer,
or bringing up a minimal nameserver and turning on query logging -- what
queries you're getting, and for what zones.
- Kevin
More information about the bind-users
mailing list