Non-improving referral

Petr Menšík pemensik at redhat.com
Thu Feb 8 10:29:55 UTC 2024 

Yes, but I doubt you would like it more. You can always create your own 
parent zone copy and make modified delegation only in it. Then if it 
should be DNSSEC signed, you would have to setup trust anchor for your 
TLD. But this way, you can test any changes to zone in your lab, without 
affecting production zone.

But I think this is an increased work and the result might be very 
different. If you want just testing of alternative server deployment, 
DNAT (production) server address to your temporary instance(s). That may 
work better without extra preparation steps. Again, this would make it 
accessible only in your lab, but might allow you testing whatever you 
want. I expect you can access any private keys, which might be used by 
your own zone.

Hope that helps.

Cheers,
Petr

On 2/4/24 12:13, Gabi Nakibly wrote:
> Thanks for the response. However,  I strongly prefer not to update the 
> parent zone as this is only a temporary nameserver for testing purposes.
> Is there anyway to add a new name server (with a new name) without 
> updating the parent zone?
>
> On Sun, Feb 4, 2024, 12:01 Mark Andrews <marka at isc.org> wrote:
>
>     You have your answer. Update the parent zone.
>
>     -- 
>     Mark Andrews
>
>>     On 4 Feb 2024, at 18:27, Gabi Nakibly <gabinkbl at gmail.com> wrote:
>>
>>     
>>     Hi,
>>     I would like to set up a new temporary nameserver for my zone
>>     (say 'example.com <http://example.com>'), however for
>>     various reasons I prefer not to change the delegation of my
>>     parent zone ('.com'). So I need the current name server
>>     ('ns.example.com <http://ns.example.com>') to refer resolvers to
>>     my new temporary name server ('ns-temp.example.com
>>     <http://ns-temp.example.com>'). However, when I tried to test
>>     this set-up with a BIND resolver, when the resolver got the
>>     delegation to the temporary name server it failed with
>>     'non-improving referral'.
>>     How can I resolve this so the delegation will work for a BIND
>>     resolver having default config (or with any other resolver for
>>     that matter)? I know that I can simply update delegation at the
>>     parent zone to point directly to the new name server, but I
>>     prefer not to do this right now and I am looking for ways to do
>>     this without changing the parent delegation.
>>     -- 
>>     Visit https://lists.isc.org/mailman/listinfo/bind-users to
>>     unsubscribe from this list
>>
>>     ISC funds the development of this software with paid support
>>     subscriptions. Contact us at https://www.isc.org/contact/ for
>>     more information.
>>
>>
>>     bind-users mailing list
>>     bind-users at lists.isc.org
>>     https://lists.isc.org/mailman/listinfo/bind-users
>
>
-- 
Petr Menšík
Software Engineer, RHEL
Red Hat,https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240208/4a64fa54/attachment.htm>

More information about the bind-users mailing list