Zone name conflicts / overlapping

Mon Sep 19 07:20:37 UTC 2011

On 09/18/2011 22:45, Ben C. wrote:
> Hello all,
> 
> This is my first post to bind-users, so I would like to first of all
> say hello, and thanks to everyone who takes their time to read and
> respond to any mailing list post. =)
> 
> I have a fairly complex situation

Step 1, simplify wherever possible. Doing DNS well is hard enough as it
is without adding extra drama where it's not absolutely necessary.

> where I have a pDNS server and a ISC
> BIND server, both containing unique zones.  I'm trying to make them
> "sync" to each other so that the end result is they both contain the
> same list of zones,

... good so far.

> and update the opposite's zone files regularly. 

I'm assuming what you mean here is that for the zones that server is
slave for that they get downloaded from the master when there are
updates. If you mean something else, please clarify.

> I am doing my best in designing it so that it *shouldn't* have the
> possibility of a zone conflict, where server A says something about
> zone "foo.com", and server B contains it's own unique record, so when
> they sync, .. well ...

Given masters on 2 different hosts you are going to have be 100%
responsible for systematically ensuring that conflicting records don't
get created.

> However, the situation got interesting when the following occurs:
> 
> zone "ns1.foo.com" {
>   type master;
>   file "/path/to/ns1.foo.com";
> };
> 
> zone "foo.com" {
>   type master;
>   file "/path/to/foo.com";
> };
> 
> Where ns1.foo.com's zone file would obviously contain an A record for
> itself (ns1.foo.com.) and then foo.com's zone file contains an A
> record for the same zone / hostname, ns1.foo.com.

Actually neither of those are "obvious." Further, given your specific
example the only requirement is that there be a delegation in the
foo.com zone to the ns1.foo.com zone. Absent a specific delegation, in
the scenario you describe, BIND will assume one; which may introduce
even more confusion/complexity in your situation.

> It appears to me, BIND sees the conflict / overlap but does not care
> about the order they are in, nor cares to exit (or even tell anybody
> about it), but simply use the more "specific" zone file which would be
> "ns1.foo.com".  I'm pretty sure this is intended behavior. Although
> for my specific and very individual circumstance, this is not ideal
> for me, but I'm by no means saying this is a bug, or "bad" behavior.
> 
> I'm simply trying to figure out (1) if this is indeed the correct
> assumption, that BIND will always use the more "specific" zone,  ...

In the general case that is almost certainly true, however in your
specific example, assuming that there is a delegation record in foo.com
to ns1.foo.com, any A/AAAA record for that hostname in foo.com _will_ be
overridden by a corresponding record in the ns1.foo.com zone by design.
Records in delegated zones always take precedence over the same record
in the parent zone.

> (2) if there are ways to modify the behavior (short of editing the way
> BIND, or even DNS works) ...

No.

> (3) if there is a way to at least
> identify this kind of behavior in logs (error/warning message? maybe
> I'm missing it..) ..

No.

> (4) a link or referral to any kind of relevant
> information would be useful -- documentation, mailing lists, anything
> -- I did a _lot_ of googling and even peeked around on IRC asking
> around, but either I'm not asking the question correctly, or it's not
> a very common thing :)

No, it's more that it's such a fundamental issue that documenting it
outside of a manual is unlikely.

hth,

Doug

-- 

	Nothin' ever doesn't change, but nothin' changes much.
			-- OK Go

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)  http://SupersetSolutions.com/