BIND 8.x, security, and delegations
Cricket Liu
cricket at acmebw.com
Mon Jun 14 19:47:36 UTC 1999
Gregg TeHennepe <gat at jax.org> wrote in message
news:<3761196D.BD6E2E7D at jax.org>...
> My understanding is that a query on a hostname in the informatics.jax.org
> domain should be asking my nameservers for the NS records for that
> domain and the associated glue records, and then the hostname A record
> query should be sent to one of the NSs for that domain, not my
> nameserver.
Actually, no. Remote name servers never specifically look up NS records
during iterative name resolution (unless you send them queries for NS
records). They look up what you tell them to, and your name server makes
the decision to send back a referral to the informatics.jax.org name
servers.
Consequently, the name server's response is correct: They're asking for a
name outside the jax.org zone (in the informatics.jax.org subzone), and thus
covered by your global allow-query access list.
cricket
Acme Byte & Wire
cricket at acmebw.com
www.acmebw.com
Attend our next DNS and BIND class! See
www.acmebw.com/training.htm for the
schedule and to register for upcoming
classes.
More information about the bind-users
mailing list