Conflicting glue records?

Matthew Pounsett matt at conundrum.com
Thu Jan 8 15:10:53 UTC 2009 

On 08-Jan-2009, at 03:41 , Dawn Connelly wrote:

> Right, but his question was regarding the host record for the name
> server. You tell the registrar the name and IP address of the name
> servers that are authoritative for the domain. The registrar then
> pushes those glue records to the root servers. Root doesn't care what
> the name and/or IP address of the name servers are. They are unrelated
> across domains. There isn't any cross domain verification. If you say
> that the FQDN and IP address of the authoritative name server is
> something, the registrar believes you and tells root. Root believes
> the registrar. The registrar and root don't do a lookup on the FQDN of
> the name server that is provided- hence it being called a glue record.
> You have to manually enter that data. At least that has been the case
> with ever registrar I've dealt with.

Again, this is quite wrong, on several points.

Host records for his domain don't go into the root unless he's  
managing a TLD.. and if that's the case he's not dealing with a  
registrar.

Whether or not the registrar or the registry do a lookup on the host  
records being supplied is irrelevant to why the entry in the DNS is  
called glue.  In cases where a nameserver is a subdomain of the domain  
it is authoritative for, delegations can't happen without the parent  
zone supplying an IP address... without the address being supplied by  
the parent zone you'd have a catch-22 in the resolution process.   
Supplying that IP address "glues" the two zones together.. hence the  
name.

And finally to the poster's original question..

This is actually more of an issues of registr operations and/or EPP,  
rather than DNS.  According to the EPP spec only the registrar  
sponsoring the domain can register host records within it.  So, to  
borrow from someone else's example, only the domain holder for  
apple.com can register the host records ns1.apple.com and  
ns2.apple.com.  The orange.com registrant can't create a host record  
for ns1.apple.com and register an IP address with it.   The registrar  
*may* accept this data from the registrant anyway, but it shouldn't  
(according to the spec) be passed on to the registry.  I suppose the  
registry could also accept it from the registrar (though in the case  
of .com I doubt this violation is occurring) but it shouldn't be  
published into the DNS.  Only the host records registered by the  
apple.com domain holder should wind up there.

Matt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20090108/fde8a694/attachment.bin>

More information about the bind-users mailing list