Athority in Bind 9

Kevin Darcy kcd at daimlerchrysler.com
Sat Feb 10 00:22:56 UTC 2001 

Ruben I Safir - Brooklyn Linux Solutions CEO wrote:

> I'm having trouble with a client's DNS and mail where occasionaly the DNS seems
> to cut out momentarily.  If I run:
> [ruben at mail ruben]$ dig rm-cpa.com mx
>
> ; <<>> DiG 8.2 <<>> rm-cpa.com mx
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
> ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
> ;; QUERY SECTION:
> ;;      rm-cpa.com, type = MX, class = IN
>
> ;; ANSWER SECTION:
> rm-cpa.com.             1D IN MX        10 mail.rm-cpa.com.
>
> ;; AUTHORITY SECTION:
> rm-cpa.com.             1D IN NS        mail.rm-cpa.com.
> rm-cpa.com.             1D IN NS        home.rm-cpa.com.
>
> ;; ADDITIONAL SECTION:
> mail.rm-cpa.com.        1D IN A         216.112.229.114
> home.rm-cpa.com.        1D IN A         192.168.0.100
>
> ;; Total query time: 8 msec
> ;; FROM: mail.rm-cpa.com to SERVER: default -- 216.112.229.114
> ;; WHEN: Fri Feb  9 09:31:02 2001
> ;; MSG SIZE  sent: 28  rcvd: 114There is only one authority.

You mean only one *usable* authority record, right? home.rm-cpa.com is not usable
because it's on a private address. They shouldn't be advertising that publically. Seems
someone needs to learn how to do split DNS...

> If I look at other setups which I trust like wa3yre.wynn.com I get:
>
> ; <<>> DiG 8.2 <<>> wa3yre.wynn.com mx
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 2
> ;; QUERY SECTION:
> ;;      wa3yre.wynn.com, type = MX, class = IN
>
> ;; ANSWER SECTION:
> wa3yre.wynn.com.        1d23h52m20s IN MX  5 wa3yre.wynn.com.
>
> ;; AUTHORITY SECTION:
> wynn.com.               1d23h52m20s IN NS  sec2.dns.psi.net.
> wynn.com.               1d23h52m20s IN NS  wa3yre.wynn.com.
> wynn.com.               1d23h52m20s IN NS  sec1.dns.psi.net.
>
> ;; ADDITIONAL SECTION:
> sec1.dns.psi.net.       23h51m43s IN A  38.8.92.2
> sec2.dns.psi.net.       23h51m43s IN A  38.8.93.2
>
> ;; Total query time: 9 msec
> ;; FROM: mail.rm-cpa.com to SERVER: default -- 216.112.229.114
> ;; WHEN: Fri Feb  9 09:32:01 2001
> ;; MSG SIZE  sent: 33  rcvd: 144
>
> That is three authoritative servers.  Are the other Authoritative servers
> the secondaries registered with the NIC for a domain name?

In this case, yes. wynn.com is delegated from .com to 3 nameservers. But you can only
tell that for sure by querying the .com servers directly. If you query a cache, you'll
likely get the NS list published by the authoritative server(s), which doesn't
necessarily match the delegation NS'es. Fortunately, for wynn.com, they *do* match.

> This is a DSL
> connection which seems to have momtary outages.

Well, I'm not surprised. Not only is mail.rm-cpa.com publishing one bogus and only one
working NS for rm-cpa.com, but two of the three delegated servers for that domain are
*not*only* lame, they are also returning an SOA-less authoritative NXDOMAIN for
everything outside of their authoritative zones (except for the root zone, which
returns FORMERR). All of this makes resolution of rm-cpa.com names rather difficult: a
two-thirds chance of getting a bad delegation to start with, and a Single Point of
Failure even if you get "lucky". Talk about running the gauntlet...

> Can I use anyone as a authoritative
> DNS and just make a record?

Sure, technically you can delegate to anyone. But it's rude to delegate without
permission, and whether it even works or not is then up to the discretion of the
delegated entity. Furthermore, if you delegate your domain to some random nameserver on
the Net, you give them the opportunity to hijack your domain, with respect to at least
some querying resolvers, some of the time. IANAL, but it seems to me that it would be
difficult to even sue them civilly for any consequences of that, since it was your
gross negligence that gave them the opportunity to hijack your domain in the first
place (kind of like leaving the keys in the ignition of your unlocked car, your engine
running and a big sign on the windshield saying "help yourself!". Can you say
_volenti_non_fit_iniuria_?).


- Kevin

More information about the bind-users mailing list