RFC 2317 Delegation Problems

[Kevin Darcy]

Stephen Carville wrote:

>I just got one of my ISP's to delegate 209.189.102.192/27  to my DNS servers 
>by setting up CNAME records eg:
>
>200.103.198.209.in-addr-arpa.	CNAME	200.192.103.198.209.in-addr-arpa.
>
>and delegated the zone 192.103.198.209.in-addr-arpa to my servers.
>
>If I got to an outside server and try 
>
>$ dig -x 209.189.103.200 +trace
>
>; <<>> DiG 9.2.2-P3 <<>> -x 209.189.103.200 +trace
>;; global options:  printcmd
>.                       514079  IN      NS      K.ROOT-SERVERS.NET.
>.                       514079  IN      NS      L.ROOT-SERVERS.NET.
>.                       514079  IN      NS      M.ROOT-SERVERS.NET.
>.                       514079  IN      NS      A.ROOT-SERVERS.NET.
>.                       514079  IN      NS      B.ROOT-SERVERS.NET.
>.                       514079  IN      NS      C.ROOT-SERVERS.NET.
>.                       514079  IN      NS      D.ROOT-SERVERS.NET.
>.                       514079  IN      NS      E.ROOT-SERVERS.NET.
>.                       514079  IN      NS      F.ROOT-SERVERS.NET.
>.                       514079  IN      NS      G.ROOT-SERVERS.NET.
>.                       514079  IN      NS      H.ROOT-SERVERS.NET.
>.                       514079  IN      NS      I.ROOT-SERVERS.NET.
>.                       514079  IN      NS      J.ROOT-SERVERS.NET.
>;; Received 436 bytes from 192.168.1.1#53(192.168.1.1) in 2 ms
>
>209.in-addr.arpa.       86400   IN      NS      chia.arin.net.
>209.in-addr.arpa.       86400   IN      NS      dill.arin.net.
>209.in-addr.arpa.       86400   IN      NS      henna.arin.net.
>209.in-addr.arpa.       86400   IN      NS      indigo.arin.net.
>209.in-addr.arpa.       86400   IN      NS      epazote.arin.net.
>209.in-addr.arpa.       86400   IN      NS      figwort.arin.net.
>209.in-addr.arpa.       86400   IN      NS      ginseng.arin.net.
>;; Received 199 bytes from 193.0.14.129#53(K.ROOT-SERVERS.NET) in 182 ms
>
>103.189.209.in-addr.arpa. 86400 IN      NS      ns0.verio.net.
>103.189.209.in-addr.arpa. 86400 IN      NS      ns1.verio.net.
>103.189.209.in-addr.arpa. 86400 IN      NS      ns2.verio.net.
>103.189.209.in-addr.arpa. 86400 IN      NS      ns3.verio.net.
>103.189.209.in-addr.arpa. 86400 IN      NS      ns4.verio.net.
>;; Received 145 bytes from 192.5.6.32#53(chia.arin.net) in 115 ms
>
>200.103.189.209.in-addr.arpa. 14400 IN  NS      t.ns.verio.net.
>200.103.189.209.in-addr.arpa. 14400 IN  NS      b.ns.verio.net.
>;; Received 122 bytes from 129.250.15.61#53(ns0.verio.net) in 71 ms
>
>200.103.189.209.in-addr.arpa. 86400 IN  CNAME   
>200.192.103.189.209.in-addr.arpa.
>192.103.189.209.in-addr.arpa. 86400 IN  NS      dns.totalflood.com.
>192.103.189.209.in-addr.arpa. 86400 IN  NS      dns2.totalflood.com.
>;; Received 151 bytes from 129.250.35.32#53(b.ns.verio.net) in 71 ms
>
>That looks right to me 
>
No, that's not right at all. Looks like the ns*.verio.net servers are 
delegating each entry under 103.189.209.in-addr.arpa (including the 
192.103.189.209.in-addr.arpa entry!) as a separate zone to 
t.ns.verio.net and b.ns.verio.net, but those nameservers have CNAMEs for 
most of those names, and, of course, a delegation of 
192.103.189.209.in-addr.arpa to your nameservers. A resolver following 
the delegations down will first see, say, 200.103.189.209.in-addr.arpa 
as a delegated zone, then as a CNAME, two results that are incompatible 
with each other. It'll also see 192.103.189.209.in-addr.arpa delegated 
*twice* along the chain, kind of a "sideways" delegation. Either of 
these anomalies could trip up the resolver and cause a SERVFAIL.

Verio should either delegate the whole 103.289.209.in-addr.arpa zone to 
t.ns.verio.net and b.ns.verio.net, or you need to get them to replace 
those per-name delegations in the ns*.verio.net nameservers with a 
sub-delegation (in the case of 192.103.289.209.in-addr.arpa) and CNAMEs 
to your entries instead.

- Kevin

P.S. Why do I vaguely remember these NS'es? I think this Verio bogosity 
goes *way* back...