Wrong names for NS and glue records not in the child zone

Kalman Feher kalman.feher at melbourneit.com.au
Tue Dec 21 11:59:26 UTC 2010 



On 20/12/10 4:18 PM, "Laurent Bauer" <l.bauer at mailclub.fr> wrote:

> On 20/12/2010 13:50, Kalman Feher wrote:
>>> The registry NS return an authority section like :
>>>>   domain.tld. IN NS ns1.domain.tld.
>>>>   domain.tld. IN NS ns2.domain.tld.
>>>> and an additional section with these glue records.
>>>> 
>>>> The delegation should be :
>>>>   domain.tld. IN NS ns1.domain.com.
>>>>   domain.tld. IN NS ns2.domain.com.
>>>> which are also glue records, by the way, but domain.com. resolution is OK.
>>>> 
>>>> Anyway, my cache NS (bind 9.7.1-P2) still resolves A records for
>>>> www.domain.tld. I flushed the cache before.
>>>> Does it mean that bind ignores the authoritative answer for glue records
>>>> and the NS records ?
>> Glue records are not authoritative, although depending on the registry in
>> question they may reply as such. In any case the apex of the zone is
>> considered the most trustworthy by BIND so it will cache the child zone NS
>> records in preference to the glue records. Of course once the cache expires,
>> unless one of the delegation points is accessible from the parent zone (are
>> all NS records for the domain wrong in the parent?) the domain will no
>> longer be accessible. You've already proven as much with the +trace. Your
>> only option is to fix the glue records.
> 
> Thanks for your answer.
> Yes, I've been trying to get the glue records fixed for several days ;
> actually there should be no glue record at all, as the authoritative NS
> for domain.tld should be ns(1|2).domain.com, not ns(1|2)domain.tld.
> Sorry I forgot to tell there were only those two NS, so yes, all NS
> records are currently wrong in the parent.
> But the IP addresses of the glues refer to the correct servers (copied
> from the correct NS names), so I was wondering if this was the reason
> why my cache server was still resolving some records.
Without the exact domain and TLD (their behaviours differ) its hard to
guess. However if dig +trace doesn't work, that's fairly conclusive that the
domain is offline as far as new lookups are concerned. Obviously those who
have cached the old NS records would not notice it until TTLs expire. So it
depends on TTLs as well as the type of audience that the domain targets
(regular visitor vs transient/one off).
> 
> Laurent
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Kal Feher

More information about the bind-users mailing list