nameserver registration

Michael Sinatra michael at rancid.berkeley.edu
Sat Jun 18 20:25:53 UTC 2011 

On 06/18/11 10:26, David Miller wrote:

> All domains, at every level, have to configure their records such that
> the tree can be walked from root to their domain.
>
> Follow the "."s.
>
> For: this.long.chain.example.com.
>
> com. must be delegated by .
> example.com. must be delegated by com.
> chain.example.com. must be delegated by example.com.
> long.chain.example.com. must be delegated by chain.example.com.
> this.long.chain.example.com. must be delegated by long.chain.example.com.
>
> The wikipedia article on DNS is quite good:
> http://en.wikipedia.org/wiki/Domain_Name_System
>
> In the particular case of the OP - example.net. has name servers under
> example.com.
>
> To make lookups for records under example.net., resolvers walk the tree
> from "." to "net." and get NS records - ns1.example.com. and
> ns2.example.com.
>
> You can't insert glue records into net. for name servers that exist
> under com., so now resolvers walk the tree from "." to "com." to get the
> name servers for example.com. which in the OP's case are - GoDaddy name
> servers.

In theory, you can insert glue records anywhere above the zone in 
question.  See RFC 2181, section 5.4.1.

As an example, glue for the servers adns1.berkeley.edu and 
adns2.berkeley.edu exist in the root zone.

> If there are no glue records in com. for ns1.example.com. and
> ns2.example.com., then resolvers will just ask the authoritative name
> servers for example.com. (which in the OP's case are - GoDaddy name
> servers) for the A/AAAA records for ns1.example.com. and
> ns2.example.com. If the GoDaddy name servers provide A/AAAA records for
> ns1.example.com. and ns2.example.com., then resolution works and
> everyone is happy.
>
> Glue is only required if that is the only way to traverse the tree to
> get to the IP addresses for the name servers for a domain.

A registrar can't know this a priori, and more importantly, can't know 
that it will always be the case with a particular domain and/or NS RRs. 
  Registrars therefore have to require registered DNS servers when a 
registrant wants a new domain.

> Can someone point to an RFC or BCP that says that *all* name servers *must* have glue present in their parent?

I doubt such an RFC exists.  RFC 1912, section 2.3 does a nice job of 
summing up where glue is necessary and where it isn't, but that doesn't 
take into account NS records that are in zones that are completely 
outside the administration of the registrar and/or registrant.

michael

More information about the bind-users mailing list