Delegation NS-records when zones share an authority server
John Thurston
john.thurston at alaska.gov
Wed Apr 12 16:10:48 UTC 2023
I uncovered an oddity in my zone definitions, which I'm trying to wrap
my head around.
We have authority over state.ak.us, which we publish as a public zone.
We also publish challenge.state.ak.us as a public zone.
The public NS records for state.ak.us are: ns4.state.ak.us and
ns3.state.ak.us The NS records for challenge.state.ak.us are the same.
I recently noticed there were no NS records _in the state.ak.us zone_
for challenge.state.ak.us. This had me scratching my head . . "how can
this be working?", until I remembered the same instances of BIND were
serving out both zones. There _were_ NS records in the
challenge.state.ak.us zone, BIND had them, was authoritative, so would
answer with them; BIND didn't need to look in the state.ak.us zone to
find them.
Some experimentation shows that even if I insert NS records into
state.ak.us (for challenge.state.ak.us), BIND does not add them to its
answer when asked "dig NS challenge.state.ak.us". I interpret this to
mean that while this instance of BIND is authoritative for both zones,
it answers with information from the most specific zone it has, and
ignores values in the delegating zone. And that makes sense to me.
Now the question is, should I insert NS records into state.ak.us (for
challenge.state.ak.us) anyway? Arguments in favor:
* Every other zone we delegate is handled by some other set of name
serves, so we've come to accept (and expect) "every delegated zone
will have NS records here". This outlier had me scratching my head,
and will cause someone else confusion in the future.
* The time may come when challenge.state.ak.us is not handled by the
same instance of BIND as state.ak.us. Having benign delegation
records present, will remind Future-Self to adjust the values to
delegate to the new servers.
* We parse the state.ak.us zone file to identify all delegated zones,
and run periodic tests to confirm those delegates are delivering
coherent answers. With no NS records for challenge.state.ak.us, we
have not been performing these tests.
Arguments against:
* Maybe I misunderstand, and such NS records aren't actually benign
Unknown:
* Does the answer change if we want to start signing either zone?
--
--
Do things because you should, not just because you can.
John Thurston 907-465-8591
John.Thurston at alaska.gov
Department of Administration
State of Alaska
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230412/d4904b38/attachment.htm>
More information about the bind-users
mailing list