BIND 8.x, security, and delegations
Gregg TeHennepe
gat at jax.org
Tue Jun 15 12:25:40 UTC 1999
Barry Margolin wrote:
> That's not how it works. How is the querier supposed to know that
> informatics.jax.org has its own nameservers? The way it works is that they
> ask your server for the A record of www.informatics.jax.org. If your
> server has the information and they're authorized to query in that zone,
> your server will respond;
My server does not have the A record, so presumably we go to:
> if the subdomain is delegated and your server
> doesn't have the answer, it should return a referral containing the NS
> records, and then the querier will retry by asking those servers.
Okay that makes sense to me, and it means that eventually the query will
succeed. But then Cricket writes:
> Actually, I would think your name server wouldn't be returning the referral,
> since the original query was denied.
Ack! This means the query will fail?! Now I'm confused again... if this is the
case, does it mean I can't configure my servers securely and still delegate the
domain as described? Do my servers have to be secondarys for the delegated
domain so that they can look up the A record?
Cheers - Gregg
Gregg TeHennepe | Unix Systems Administrator | The Jackson Laboratory
gat at jax.org | http://aretha.jax.org/~gat | Bar Harbor, Maine USA
Lastly Barry asks:
> P.S. Why did you thread this to a completely unrelated message (it was
> titled "Help" -- you posted this as a reply, although you changed the
> Subject)?
Um, I have the brainstem of a newt? Hmm, been on the net too long to use the new
luser excuse ;-)... historically I've had marginal access to news, and have
participated in mail lists almost exclusively compared to newsgroups. Being used
to their unthreaded nature, I have the bad habit of sending mail to the group by
picking a random message, replying, and changing the subject. Thanks for the
heads-up.
More information about the bind-users
mailing list