Non-improving referral
Petr Menšík
pemensik at redhat.com
Thu Feb 8 10:29:55 UTC 2024
Yes, but I doubt you would like it more. You can always create your own
parent zone copy and make modified delegation only in it. Then if it
should be DNSSEC signed, you would have to setup trust anchor for your
TLD. But this way, you can test any changes to zone in your lab, without
affecting production zone.
But I think this is an increased work and the result might be very
different. If you want just testing of alternative server deployment,
DNAT (production) server address to your temporary instance(s). That may
work better without extra preparation steps. Again, this would make it
accessible only in your lab, but might allow you testing whatever you
want. I expect you can access any private keys, which might be used by
your own zone.
Hope that helps.
Cheers,
Petr
On 2/4/24 12:13, Gabi Nakibly wrote:
> Thanks for the response. However, I strongly prefer not to update the
> parent zone as this is only a temporary nameserver for testing purposes.
> Is there anyway to add a new name server (with a new name) without
> updating the parent zone?
>
> On Sun, Feb 4, 2024, 12:01 Mark Andrews <marka at isc.org> wrote:
>
> You have your answer. Update the parent zone.
>
> --
> Mark Andrews
>
>> On 4 Feb 2024, at 18:27, Gabi Nakibly <gabinkbl at gmail.com> wrote:
>>
>>
>> Hi,
>> I would like to set up a new temporary nameserver for my zone
>> (say 'example.com <http://example.com>'), however for
>> various reasons I prefer not to change the delegation of my
>> parent zone ('.com'). So I need the current name server
>> ('ns.example.com <http://ns.example.com>') to refer resolvers to
>> my new temporary name server ('ns-temp.example.com
>> <http://ns-temp.example.com>'). However, when I tried to test
>> this set-up with a BIND resolver, when the resolver got the
>> delegation to the temporary name server it failed with
>> 'non-improving referral'.
>> How can I resolve this so the delegation will work for a BIND
>> resolver having default config (or with any other resolver for
>> that matter)? I know that I can simply update delegation at the
>> parent zone to point directly to the new name server, but I
>> prefer not to do this right now and I am looking for ways to do
>> this without changing the parent delegation.
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> ISC funds the development of this software with paid support
>> subscriptions. Contact us at https://www.isc.org/contact/ for
>> more information.
>>
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>
>
--
Petr Menšík
Software Engineer, RHEL
Red Hat,https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240208/4a64fa54/attachment.htm>
More information about the bind-users
mailing list