Wrong names for NS and glue records not in the child zone
Laurent Bauer
l.bauer at mailclub.fr
Mon Dec 20 15:18:07 UTC 2010
On 20/12/2010 13:50, Kalman Feher wrote:
>> The registry NS return an authority section like :
>> > domain.tld. IN NS ns1.domain.tld.
>> > domain.tld. IN NS ns2.domain.tld.
>> > and an additional section with these glue records.
>> >
>> > The delegation should be :
>> > domain.tld. IN NS ns1.domain.com.
>> > domain.tld. IN NS ns2.domain.com.
>> > which are also glue records, by the way, but domain.com. resolution is OK.
>> >
>> > Anyway, my cache NS (bind 9.7.1-P2) still resolves A records for
>> > www.domain.tld. I flushed the cache before.
>> > Does it mean that bind ignores the authoritative answer for glue records
>> > and the NS records ?
> Glue records are not authoritative, although depending on the registry in
> question they may reply as such. In any case the apex of the zone is
> considered the most trustworthy by BIND so it will cache the child zone NS
> records in preference to the glue records. Of course once the cache expires,
> unless one of the delegation points is accessible from the parent zone (are
> all NS records for the domain wrong in the parent?) the domain will no
> longer be accessible. You've already proven as much with the +trace. Your
> only option is to fix the glue records.
Thanks for your answer.
Yes, I've been trying to get the glue records fixed for several days ;
actually there should be no glue record at all, as the authoritative NS
for domain.tld should be ns(1|2).domain.com, not ns(1|2)domain.tld.
Sorry I forgot to tell there were only those two NS, so yes, all NS
records are currently wrong in the parent.
But the IP addresses of the glues refer to the correct servers (copied
from the correct NS names), so I was wondering if this was the reason
why my cache server was still resolving some records.
Laurent
More information about the bind-users
mailing list