Are matching "A" records required for "NS" servers if parent has glue records ?
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Wed Sep 25 04:47:44 UTC 2002
> Are matching "A" records required for "NS" servers if parent has glue
> records ?
Yes. Glue records are copies of those in the child zone. You
can't have a copy without a original. This applies for NS, A and
AAAA records.
> I've looked around for an answer to this and found much information, but I
> am still unclear on some details. If anyone has a few moments, I hope you
> can shed further light on this for me. (Sorry for the long message).
>
> If a given domain has say two authoritative nameservers, and two "NS"
> records on each of them... and the same two "NS" records exist on the
> gtld-servers... and gtld-servers have two "A" glue records... but the two
> authoritative name servers do not have "A" records for their "NS"
> records... will this cause resolution problems ? Below are example values
> to help explain.
Yes this will cause problems.
> My other part of the question is, will the "A" glue records from gtld-
> servers be cached or will the auth servers be queried for nameserver "A"
> records (which would give NXDOMAIN, since "A" records are missing from auth
> servers) and supercede the "A" glue records that gtld-servers had provided
> causing future queries to fail (since the NXDOMAIN would be cached as a
> negative answer) ? ...and is this behavior/respose standardized and/or
> does it vary with different resolvers ?
It all depends on what is being asked when. Note nameservers will
also look for AAAA and A6 records. The NXDOMAIN returned will wipe
out any cached A records.
> **(Given values are not "real", but only for example.
> domain.net is not actually missing local "A" records in the real world)
> ----
> [a.gtld-servers.net]
> domain.net NS ns1.domain.net
> domain.net NS ns2.domain.net
> domain.net A 123.123.123.1
> domain.net A 123.123.123.2
>
> [ns1.domain.net, ns2.domain.net]
> domain.net NS ns1.domain.net
> domain.net NS ns2.domain.net
> (missing "A" records for ns1 & ns2)
> ----
>
> My real world example that spawned this question is a little more complex.
> We have 30+ vanilla caching v8 BIND servers at my job and nearly half of
> them won't resolve ohd.com.
> This domain has three "NS" records with glue records on gtld-servers.
> Of their three auth servers, two have all 3 "A" records to match the "NS"
> records, but one has no matching "A" records for any of the nameservers.
> Can this create intermittent resolution, even though glue records are still
> present for all three nameservers on the gtld-servers ?
Yes.
>
> --------
> $ dig ohd.com ns
> [...]
> ;; ANSWER SECTION:
> ohd.com. 79562 IN NS ns0.extremesites.net.
> ohd.com. 79562 IN NS ns0.internalmatters.net.
> ohd.com. 79562 IN NS ns1.internalmatters.net.
> ;; ADDITIONAL SECTION:
> ns0.extremesites.net. 165670 IN A 216.237.98.230
> ns0.internalmatters.net. 165962 IN A 216.237.98.227
> ns1.internalmatters.net. 165962 IN A 216.237.97.93
>
> --------
> $ dig @216.237.98.230 ns0.extremesites.net ns0.internalmatters.net
> ns1.internalmatters.net
> [...]
> Status: NXDOMAIN
>
> ;; QUESTION SECTION:
> ;ns0.extremesites.net. IN A
> ;; AUTHORITY SECTION:
> extremesites.net. 3600 IN SOA ns1.extremesites.net.
> administrator. 28 900 600 86400 3600
>
> ;; QUESTION SECTION:
> ;ns0.internalmatters.net. IN A
> ;; AUTHORITY SECTION:
> internalmatters.net. 3600 IN SOA ns1.extremesites.net.
> chris. 25 900 600 86400 3600
>
> ;; QUESTION SECTION:
> ;ns1.internalmatters.net. IN A
> ;; AUTHORITY SECTION:
> internalmatters.net. 3600 IN SOA ns1.extremesites.net.
> chris. 25 900 600 86400 3600
>
> --------
> $ dig +short @216.237.98.227 ns0.extremesites.net ns0.internalmatters.net
> ns1.internalmatters.net
> 216.237.98.230
> 216.237.98.227
> 216.237.97.93
>
> --------
> $ dig +short @216.237.97.93 ns0.extremesites.net ns0.internalmatters.net
> ns1.internalmatters.net
> 216.237.98.230
> 216.237.98.227
> 216.237.97.93
> --------
>
>
> **(Forgive me if this post is duplicate... I posted it two days ago from a
> different ISP, but it never showed up in the group).
>
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list