DNS: how to verify glue NS records?

Alexei Malinin Alexei.Malinin at mail.ru
Fri Dec 5 19:31:15 UTC 2014 

Hi Casey.

Thank you for the explanation.

I'm sorry for the misleading Subject of this thread, of course I meant
"delegation NS records".

I understand from your reply that there are no technical means, tools,
etc for verifying delegation NS records in the parent zone if the child
and parent zone are on the same authoritative name server and zone
transfers from that server are prohibited. Is my conclusion correct?


PS. Thank you for the good advise :)


--
Alexei


On 12/05/14 18:39, Casey Deccio wrote:
> Hi Alexei,
>
> On Fri, Dec 5, 2014 at 10:16 AM, Alexei Malinin
> <Alexei.Malinin at mail.ru <mailto:Alexei.Malinin at mail.ru>>wrote:
>
>     I would like to resolve this problem:
>     - I have a child DNS zone served by my ISP slave name server;
>     - the parent zone is served by my ISP master name server;
>     - the question is - how and with what tools (dig, host, nslookup, or
>     maybe C or Perl libs) can I verify the NS glue records in the parent
>     zone of my ISP (zone transfers are denied)?
>
>
> The delegation NS records (i.e., the NS records in the parent zone)
> cannot be determined using simple queries because the parent zone is
> also authoritative for the child zone, as you mentioned.  Thus, when
> one of those servers (e.g., ns1.agtel.net <http://ns1.agtel.net>) is
> queried for 0-15.66.233.212.in-addr.arpa/NS, the server will (should)
> always send the authoritative NS RRset in (i.e., from the child)
> preference to the delegation NS RRset (i.e., in the parent), and in
> fact the latter may be different.
>
> There are by definition no glue records for your zone.  Glue A/AAAA
> records are only required in the parent for NS targets that are
> subdomains of the delegated child zone to bootstrap resolution.  For
> example, ns1.example.com <http://ns1.example.com>as an NS target for
> example.com <http://example.com>.  That is not the case with yours
> (and usually isn't with in-addr.arpa zones).
>
>
>     My child zone is 0-15.66.233.212.in-addr.arpa. I tried "dig -4
>     +multiline +showsearch +trace 0-15.66.233.212.in-addr.arpa ns" but it
>     was not possible to make any conclusions about NS glue records
>     from the
>     dig output.
>
>     I found some tools in the Internet (for example
>     http://www.intodns.com/0-15.66.233.212.in-addr.arpa, see "Missing
>     nameservers reported by parent") but these are inconvenient, I would
>     like to use OS tools.
>
>
> That's unfortunately a misleading error, as this cannot be determined,
> as I mentioned above.
>  
>
>
>     Please give me some good advise.
>
>
> You'll need to take the word of the operator of your parent zone.
>
> Casey

  * English - detected
  * English
  * Russian

  * English
  * Russian

<javascript:void(0);>

More information about the bind-users mailing list