Are matching "A" records required for "NS" servers if parent has glue records ?

Mark_Andrews at isc.org Mark_Andrews at isc.org
Wed Sep 25 04:47:44 UTC 2002 

> Are matching "A" records required for "NS" servers if parent has glue 
> records ?  

	Yes.  Glue records are copies of those in the child zone.  You
	can't have a copy without a original.  This applies for NS, A and
	AAAA records.
 
> I've looked around for an answer to this and found much information, but I 
> am still unclear on some details.  If anyone has a few moments, I hope you 
> can shed further light on this for me.  (Sorry for the long message).  
> 
> If a given domain has say two authoritative nameservers, and two "NS" 
> records on each of them...  and the same two "NS" records exist on the 
> gtld-servers...  and gtld-servers have two "A" glue records...  but the two 
> authoritative name servers do not have "A" records for their "NS" 
> records...  will this cause resolution problems ?  Below are example values 
> to help explain.  

	Yes this will cause problems.
 
> My other part of the question is, will the "A" glue records from gtld-
> servers be cached or will the auth servers be queried for nameserver "A" 
> records (which would give NXDOMAIN, since "A" records are missing from auth 
> servers) and supercede the "A" glue records that gtld-servers had provided 
> causing future queries to fail (since the NXDOMAIN would be cached as a 
> negative answer) ?  ...and is this behavior/respose standardized and/or 
> does it vary with different resolvers ?  

	It all depends on what is being asked when.  Note nameservers will
	also look for AAAA and A6 records.  The NXDOMAIN returned will wipe
	out any cached A records.
 
> **(Given values are not "real", but only for example.  
> domain.net is not actually missing local "A" records in the real world)
> ----
>     [a.gtld-servers.net]
>     domain.net    NS    ns1.domain.net
>     domain.net    NS    ns2.domain.net
>     domain.net    A     123.123.123.1
>     domain.net    A     123.123.123.2
> 
>     [ns1.domain.net, ns2.domain.net]
>     domain.net    NS    ns1.domain.net
>     domain.net    NS    ns2.domain.net
>     (missing "A" records for ns1 & ns2)
> ----
> 
> My real world example that spawned this question is a little more complex.  
> We have 30+ vanilla caching v8 BIND servers at my job and nearly half of 
> them won't resolve ohd.com.  
> This domain has three "NS" records with glue records on gtld-servers.  
> Of their three auth servers, two have all 3 "A" records to match the "NS" 
> records, but one has no matching "A" records for any of the nameservers.  
> Can this create intermittent resolution, even though glue records are still 
> present for all three nameservers on the gtld-servers ?  

	Yes.
> 
> --------
> $ dig ohd.com ns
> [...]
> ;; ANSWER SECTION:
> ohd.com.                79562   IN      NS      ns0.extremesites.net.
> ohd.com.                79562   IN      NS      ns0.internalmatters.net.
> ohd.com.                79562   IN      NS      ns1.internalmatters.net.
> ;; ADDITIONAL SECTION:
> ns0.extremesites.net.   165670  IN      A       216.237.98.230
> ns0.internalmatters.net. 165962 IN      A       216.237.98.227
> ns1.internalmatters.net. 165962 IN      A       216.237.97.93
> 
> --------
> $ dig @216.237.98.230 ns0.extremesites.net ns0.internalmatters.net 
> ns1.internalmatters.net
> [...]
> Status: NXDOMAIN
> 
> ;; QUESTION SECTION:
> ;ns0.extremesites.net.          IN      A
> ;; AUTHORITY SECTION:
> extremesites.net.       3600    IN      SOA     ns1.extremesites.net. 
> administrator. 28 900 600 86400 3600
> 
> ;; QUESTION SECTION:
> ;ns0.internalmatters.net.       IN      A
> ;; AUTHORITY SECTION:
> internalmatters.net.    3600    IN      SOA     ns1.extremesites.net. 
> chris. 25 900 600 86400 3600
> 
> ;; QUESTION SECTION:
> ;ns1.internalmatters.net.       IN      A
> ;; AUTHORITY SECTION:
> internalmatters.net.    3600    IN      SOA     ns1.extremesites.net. 
> chris. 25 900 600 86400 3600
> 
> --------
> $ dig +short @216.237.98.227 ns0.extremesites.net ns0.internalmatters.net 
> ns1.internalmatters.net
> 216.237.98.230
> 216.237.98.227
> 216.237.97.93
> 
> --------
> $ dig +short @216.237.97.93 ns0.extremesites.net ns0.internalmatters.net 
> ns1.internalmatters.net
> 216.237.98.230
> 216.237.98.227
> 216.237.97.93
> --------
> 
> 
> **(Forgive me if this post is duplicate... I posted it two days ago from a 
> different ISP, but it never showed up in the group).  
> 
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org

More information about the bind-users mailing list