One Domain; Multiple IPs.
Mark.Andrews at nominum.com
Mark.Andrews at nominum.com
Wed Jul 18 22:59:16 UTC 2001
> Mark:
> > Try asking about things other than A records. Some of the
> > load balancers fail to do the rest of the protocol.
> >
> > Given that you usually delegate a single node to these boxes
> > they should be able to answer NS and SOA queries for the name,
> > return NODATA responses to queries for types that don't exist.
> > If a subdomain does not exist it should return NXDOMAIN.
> >
> > I'm not sure if DD has these problems, but some of these boxes
> > definitely do.
>
> DD will return SOA and I think it does NS (I'll check tomorrow), I can't
> say whether it returns NODATA for other types (I'll check that too). Being
> pragmatic, is this important? DD is used for a very specific purpose, that
> is to allow the operator of the DD to advertise A records to redirect
> traffic to his/her published (named) servers appropriately. For his/her
> published and advertised purposes other record types should not be
> requested.
Client will requests lots of things AAAA records and A6
are starting to be as common a A requests. Also questions
with EDNS should be answered even if it is just FORMERR,
some of these boxes don't do that. MX queries will also
be common and hopefully SRV queries soon.
Saying that other record types should not be requested is
just plain wrong. It is thinking like this that causes
some of the abominations that are out there pretending to
be nameservers.
> Therefore no normal user will care, only those who dig and doc
> at any available opportunity :-)
> It is certainly true that DD should be delegated individual hosts as zones,
> and as far as I have read the doco, Cisco do not adequately make this
> point. It as also true that DD does not accept TCP requests
For which there is no good reason and causes operational
problems from time to time. When will nameserver vendors
learn that DNS/TCP really is not optional. That people
will configure servers such that fallback to TCP will be
required.
>, and I worry
> about whether the technique could be used in a future updated form to
> provide DNSSEC signed answers (even given the CPU power to compute the
> signatures on-the-fly, I would be unhappy to have the private key of the
> zone stored on a device which could be reached on the Internet).
DNSSEC signatures can be pre-computed for each address.
It's just a matter of matching them.
>
> Rgds
> Marc TXK
I repeat these comments are directed against no one particular
vendor and may not apply to DD.
Mark
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at nominum.com
More information about the bind-users
mailing list