glue records in child zone
Mark Andrews
Mark_Andrews at isc.org
Fri Oct 24 23:37:17 UTC 2008
In message <20081023174752.GX92276 at netch.kiev.ua>, Valentin Nechayev writes:
> > I'll start by saying there may be some nuance of the RFC that I'm not
> > grasping, and I'm sure Mark or someone will pipe up if I get this wrong...
>
> > that said...
> >
> > I belive your problem is that, once you have a zone cut in place (a
> > delegation to a subzone) then the parent zone is no longer authoritative
> > for anything below that cut. In your example, the parent zone
> > (example.org) delegates authority for hq.example.org, and so it is not
> > authoritative for anything at or below that domain.. which means that it
> > can't give an authoritative answer for ns1.hq.example.org.
>
> Yes, this is exactly what I suppose as problem source. BTW, setting
> "noaaonly" as query flag doesn't change the response for 9.4.2 - it still
> responds with empty additional section.
>
> I missed to tell there is real example of such situation working in world DNS
> :
>
> ;; ANSWER SECTION:
> net. 71243 IN NS g.gtld-servers.net.
> net. 71243 IN NS h.gtld-servers.net.
> net. 71243 IN NS i.gtld-servers.net.
> [...]
> ;; ADDITIONAL SECTION:
> a.gtld-servers.net. 70962 IN A 192.5.6.30
> a.gtld-servers.net. 70962 IN AAAA 2001:503:a83e::2:30
> b.gtld-servers.net. 70962 IN A 192.33.14.30
> b.gtld-servers.net. 70962 IN AAAA 2001:503:231d::2:30
> c.gtld-servers.net. 70962 IN A 192.26.92.30
>
> At the same time, gtld-servers.net. is child zone of net.:
>
> ;; ANSWER SECTION:
> gtld-servers.net. 70913 IN NS h2.nstld.com.
> gtld-servers.net. 70913 IN NS l2.nstld.com.
> gtld-servers.net. 70913 IN NS a2.nstld.com.
> [...]
>
> Some root servers (e.g. f.root-servers.net, c.root-servers.net) has
> the same version as mine (9.4.2) and still respond with full list of
> glue records. So, it is possible for these versions, isn't it?
This is a referral. Notice the answer section does not
exist. The additional section is expected to contain glue.
; <<>> DiG 9.3.5-P2 <<>> ns com @f.root-servers.net +norec
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51579
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 15
;; QUESTION SECTION:
;com. IN NS
;; AUTHORITY SECTION:
com. 172800 IN NS I.GTLD-SERVERS.NET.
com. 172800 IN NS D.GTLD-SERVERS.NET.
com. 172800 IN NS B.GTLD-SERVERS.NET.
com. 172800 IN NS A.GTLD-SERVERS.NET.
com. 172800 IN NS L.GTLD-SERVERS.NET.
com. 172800 IN NS H.GTLD-SERVERS.NET.
com. 172800 IN NS M.GTLD-SERVERS.NET.
com. 172800 IN NS J.GTLD-SERVERS.NET.
com. 172800 IN NS K.GTLD-SERVERS.NET.
com. 172800 IN NS C.GTLD-SERVERS.NET.
com. 172800 IN NS E.GTLD-SERVERS.NET.
com. 172800 IN NS F.GTLD-SERVERS.NET.
com. 172800 IN NS G.GTLD-SERVERS.NET.
;; ADDITIONAL SECTION:
A.GTLD-SERVERS.NET. 172800 IN A 192.5.6.30
B.GTLD-SERVERS.NET. 172800 IN A 192.33.14.30
C.GTLD-SERVERS.NET. 172800 IN A 192.26.92.30
D.GTLD-SERVERS.NET. 172800 IN A 192.31.80.30
E.GTLD-SERVERS.NET. 172800 IN A 192.12.94.30
F.GTLD-SERVERS.NET. 172800 IN A 192.35.51.30
G.GTLD-SERVERS.NET. 172800 IN A 192.42.93.30
H.GTLD-SERVERS.NET. 172800 IN A 192.54.112.30
I.GTLD-SERVERS.NET. 172800 IN A 192.43.172.30
J.GTLD-SERVERS.NET. 172800 IN A 192.48.79.30
K.GTLD-SERVERS.NET. 172800 IN A 192.52.178.30
L.GTLD-SERVERS.NET. 172800 IN A 192.41.162.30
M.GTLD-SERVERS.NET. 172800 IN A 192.55.83.30
A.GTLD-SERVERS.NET. 172800 IN AAAA 2001:503:a83e::2:30
B.GTLD-SERVERS.NET. 172800 IN AAAA 2001:503:231d::2:30
;; Query time: 170 msec
;; SERVER: 2001:500:2f::f#53(2001:500:2f::f)
;; WHEN: Sat Oct 25 10:19:38 2008
;; MSG SIZE rcvd: 509
This is a answer but f.root-servers.net also serves
root-servers.net so the A records come from the root-servers.net
zone. All the root servers are supposed to be serving
root-servers.net so that they can return the address records
for the root servers when they receive a "priming" ("."/NS)
query from a interative resolver. Note the ttl's of the
additional records match those from the ROOT-SERVERS.NET
zone.
; <<>> DiG 9.3.5-P2 <<>> ns . @f.root-servers.net +norec
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2326
;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 15
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 518400 IN NS J.ROOT-SERVERS.NET.
. 518400 IN NS K.ROOT-SERVERS.NET.
. 518400 IN NS D.ROOT-SERVERS.NET.
. 518400 IN NS A.ROOT-SERVERS.NET.
. 518400 IN NS I.ROOT-SERVERS.NET.
. 518400 IN NS C.ROOT-SERVERS.NET.
. 518400 IN NS L.ROOT-SERVERS.NET.
. 518400 IN NS B.ROOT-SERVERS.NET.
. 518400 IN NS H.ROOT-SERVERS.NET.
. 518400 IN NS F.ROOT-SERVERS.NET.
. 518400 IN NS M.ROOT-SERVERS.NET.
. 518400 IN NS E.ROOT-SERVERS.NET.
. 518400 IN NS G.ROOT-SERVERS.NET.
;; ADDITIONAL SECTION:
A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4
B.ROOT-SERVERS.NET. 3600000 IN A 192.228.79.201
C.ROOT-SERVERS.NET. 3600000 IN A 192.33.4.12
D.ROOT-SERVERS.NET. 3600000 IN A 128.8.10.90
E.ROOT-SERVERS.NET. 3600000 IN A 192.203.230.10
F.ROOT-SERVERS.NET. 3600000 IN A 192.5.5.241
G.ROOT-SERVERS.NET. 3600000 IN A 192.112.36.4
H.ROOT-SERVERS.NET. 3600000 IN A 128.63.2.53
I.ROOT-SERVERS.NET. 3600000 IN A 192.36.148.17
J.ROOT-SERVERS.NET. 3600000 IN A 192.58.128.30
K.ROOT-SERVERS.NET. 3600000 IN A 193.0.14.129
L.ROOT-SERVERS.NET. 3600000 IN A 199.7.83.42
M.ROOT-SERVERS.NET. 3600000 IN A 202.12.27.33
A.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:503:ba3e::2:30
F.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:2f::f
;; Query time: 173 msec
;; SERVER: 2001:500:2f::f#53(2001:500:2f::f)
;; WHEN: Sat Oct 25 10:20:25 2008
;; MSG SIZE rcvd: 492
; <<>> DiG 9.3.5-P2 <<>> soa ROOT-SERVERS.NET @f.root-servers.net +norec
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27906
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 8
;; QUESTION SECTION:
;ROOT-SERVERS.NET. IN SOA
;; ANSWER SECTION:
ROOT-SERVERS.NET. 3600000 IN SOA a.ROOT-SERVERS.NET. nstld.verisign-grs.com. 2008020400 14400 7200 1209600 3600000
;; AUTHORITY SECTION:
ROOT-SERVERS.NET. 3600000 IN NS a.ROOT-SERVERS.NET.
ROOT-SERVERS.NET. 3600000 IN NS k.ROOT-SERVERS.NET.
ROOT-SERVERS.NET. 3600000 IN NS j.ROOT-SERVERS.NET.
ROOT-SERVERS.NET. 3600000 IN NS f.ROOT-SERVERS.NET.
;; ADDITIONAL SECTION:
a.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4
f.ROOT-SERVERS.NET. 3600000 IN A 192.5.5.241
j.ROOT-SERVERS.NET. 3600000 IN A 192.58.128.30
k.ROOT-SERVERS.NET. 3600000 IN A 193.0.14.129
a.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:503:ba3e::2:30
f.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:2f::f
j.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:503:c27::2:30
k.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:7fd::1
;; Query time: 172 msec
;; SERVER: 2001:500:2f::f#53(2001:500:2f::f)
;; WHEN: Sat Oct 25 10:20:51 2008
;; MSG SIZE rcvd: 332
h.root-servers.net incorrectly returns the glue records
but it is NSD. Note the TTL in the answer and additional
sections are the same and don't match those from the
root-servers.net response above not the answers returned
when h.root-servers.net is queried for root-servers.net
directly.
; <<>> DiG 9.3.5-P2 <<>> ns . @h.root-servers.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12452
;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 15
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 518400 IN NS a.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS m.root-servers.net.
;; ADDITIONAL SECTION:
a.root-servers.net. 518400 IN A 198.41.0.4
b.root-servers.net. 518400 IN A 192.228.79.201
c.root-servers.net. 518400 IN A 192.33.4.12
d.root-servers.net. 518400 IN A 128.8.10.90
e.root-servers.net. 518400 IN A 192.203.230.10
f.root-servers.net. 518400 IN A 192.5.5.241
g.root-servers.net. 518400 IN A 192.112.36.4
h.root-servers.net. 518400 IN A 128.63.2.53
i.root-servers.net. 518400 IN A 192.36.148.17
j.root-servers.net. 518400 IN A 192.58.128.30
k.root-servers.net. 518400 IN A 193.0.14.129
l.root-servers.net. 518400 IN A 199.7.83.42
m.root-servers.net. 518400 IN A 202.12.27.33
a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30
f.root-servers.net. 518400 IN AAAA 2001:500:2f::f
;; Query time: 238 msec
;; SERVER: 2001:500:1::803f:235#53(2001:500:1::803f:235)
;; WHEN: Sat Oct 25 10:29:53 2008
;; MSG SIZE rcvd: 492
; <<>> DiG 9.3.5-P2 <<>> version.bind txt ch @h.root-servers.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51905
;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;version.bind. CH TXT
;; ANSWER SECTION:
version.bind. 0 CH TXT "NSD 3.1.0"
;; Query time: 234 msec
;; SERVER: 2001:500:1::803f:235#53(2001:500:1::803f:235)
;; WHEN: Sat Oct 25 10:29:40 2008
;; MSG SIZE rcvd: 52
; <<>> DiG 9.3.5-P2 <<>> root-servers.net soa @h.root-servers.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11769
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 8
;; QUESTION SECTION:
;root-servers.net. IN SOA
;; ANSWER SECTION:
root-servers.net. 3600000 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2008020400 14400 7200 1209600 3600000
;; AUTHORITY SECTION:
root-servers.net. 3600000 IN NS a.root-servers.net.
root-servers.net. 3600000 IN NS f.root-servers.net.
root-servers.net. 3600000 IN NS j.root-servers.net.
root-servers.net. 3600000 IN NS k.root-servers.net.
;; ADDITIONAL SECTION:
a.root-servers.net. 3600000 IN A 198.41.0.4
f.root-servers.net. 3600000 IN A 192.5.5.241
j.root-servers.net. 3600000 IN A 192.58.128.30
k.root-servers.net. 3600000 IN A 193.0.14.129
a.root-servers.net. 3600000 IN AAAA 2001:503:ba3e::2:30
f.root-servers.net. 3600000 IN AAAA 2001:500:2f::f
j.root-servers.net. 3600000 IN AAAA 2001:503:c27::2:30
k.root-servers.net. 3600000 IN AAAA 2001:7fd::1
;; Query time: 236 msec
;; SERVER: 2001:500:1::803f:235#53(2001:500:1::803f:235)
;; WHEN: Sat Oct 25 10:34:33 2008
;; MSG SIZE rcvd: 332
> > It can provide glue for ns.hq.example.org because that is necessary for the
>
> > delegation to work, but that glue is actually passed as non-authoritative
> > data.
> >
> > If you really want to use a host in the subzone as the name server for the
> > parent zone, then you should remove the ns1.hq.example.org host from the
> > example.org zone. I don't recommend this, however.. even if it's
> > technically permissible, it seems likely this could cause some problems
> > higher up the delegation chain. My recommendation would be to make sure
> > that the authoritative servers for the example.com zone are within that
> > zone, not within some subzone.
>
> This is already planned, but there are administrative problems with such
> delegation and I'm investigating how we can postpone this change.
>
>
> -netch-
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list