ignoring incorrect nameservers in authority section

Sunil Shetye shetye at bombay.retortsoft.com
Wed Dec 22 12:55:54 UTC 2010 

Quoting from Matus UHLAR - fantomas's mail on Wed, Dec 22, 2010:
> > Case 1:
> > 
> > Domain: e-nxt.com
> > Real Nameservers: ns1.webpresenceworld.com. ns2.webpresenceworld.com.
> > Fake Nameservers: ns5.zenexpress.com. ns6.zenexpress.com.
> 
> Why fake? 
> 
> Both ns1.webpresenceworld.com and ns2.webpresenceworld.com - the delegated
> nameservers for e-nxt.com provide the same records for a domain, including
> NS records for ns5.zenexpress.com and ns6.zenexpress.com.
> 
> The fact that ns5.zenexpress.com and ns6.zenexpress.com do not provide the
> has nothing to do with this. 
> 
> Blame the person who added those NS records to e-nxt.com, someone at
> webpresenceworld.com whould know where they get the zone.

Please note that these are not rare cases. I have seen this happen for
so many domains in the past. It is not practical for me to start
communicating with those admininstrators and find out who is to blamed
for that. It is easier for me if:

- named caches the authority section from the reply of the parent
  nameserver only, or

- named does not cache the authority section at all.

> > Case 2:
> > 
> > Domain: imagesystems.co.in
> > Real Nameservers: ns1.servershost.net. ns2.servershost.net.
> > Fake Nameservers: ns1.cyberasiantrade.com. ns2.cyberasiantrade.com.
> 
> Exactly the same applies here, just different domain and servers.
> 
> 
> Both domains are delegated to servers that provide DNS for the domain, which
> is correct. But both domains themselves contain NS Records to different
> servers that do not provide those domains.
> 
> In both cases, someone has put a wrong NS records to the domain, causing
> their unreachability.
> 
> Note that the NS records in the domains always prevail over those in
> delegation - the DNS master should always know best which servers are
> authoritative for it.

Why is that? In fact, it is the parent which knows which servers are
authoritative. After all, any query is eventually routed via the
parent nameserver only. If the parent nameserver did not know the
answer, the domain would anyway have been unreachable.

I agree that the DNS master is supposed to know better than the
parent, but it is safer if the parent nameserver data is cached rather
than the domain nameserver data.

Please note that it is very hard to find the root of this problem when
'dig +trace' works correctly and consistently where as 'dig' does not
give any response or gets a wrong response. All I want to ensure is
that both the commands give the same response. Please help me achieve
that.


Is there any option to make the NS records in the delegation prevail
over the NS records in the domain?


Is there any option to not cache the NS records from the authority
section at all?


Is there any option to add workarounds for specific domains /
nameservers like the ones listed above?

-- 
Sunil Shetye.

More information about the bind-users mailing list