dns zone delegation
Kevin Darcy
kcd at chrysler.com
Mon Jul 6 23:35:29 UTC 2009
Michael Milligan wrote:
> Mark Andrews wrote:
>
>> In message <4A4DD8A6.70902 at bluewin.ch>, "Martin.Wismer." writes:
>>
>>> Hello Mark, Hello Jittinan,
>>>
>>> thank you for informing us/me, that bluewin.ch shod do some
>>> improovements in our dns-settings.
>>> Yes, the bluewin.ch is on 4 dns-bind-Server's, but some Entries,
>>> www.bluewin.ch, are delegated to 4 Global-Site-Selectors which act as
>>> DNS-Server's.
>>> Mark:
>>> If I understand you correctly, the GSS should also return SOA and NS
>>> Records for the domain www.bluewin.ch.
>>> Could you confirm, that's, what a propper delegation would mean?
>>>
>> Yes. That is what should be returned when a SOA or NS
>> query is made for www.bluewin.ch to the GSS servers.
>>
>>
>
> My gawd... say it ain't so. I opened bugs for this with Cisco way back
> when it was called Distributed Director (circa 1996). So sad to see
> this is /still/ broken and that they just don't care about fixing it.
> And I bet it still does improper "bouncing" (referrals) back to a
> different set of servers for resolving records it doesn't have (e.g.,
> MX). All these (mis)behaviors regularly causes problems for
> troubleshooters. And I can just imagine how they will deal with DNSSEC...
>
>
I think they've been promising a "fully-featured DNS implementation" for
a few releases now.
I'm not sure what you mean by "bouncing referrals". We use a "shadow"
zone behind the GSSes to provide the necessary SOA/NS apex records.
It's ugly, but it works, kinda...
One compromise we had to make is to put a "dummy" wildcard record in the
shadow zone, to prevent potentially-troublesome NXDOMAIN responses from
ever being generated by the shadow-zone servers and passed back
verbatim. It would have been nicer if the GSS could understand that
(NXDOMAIN from shadow zone + records in GSS for the name -> NODATA back
to the client), but hey, I guess that's asking too much.
Even QTYPE=* queries work, if I recall our conformance testing
correctly, with the GSS being at least smart enough to "merge" the
shadow and non-shadow RRsets in that case. We don't have any use for
that in production, but it's nice to know we could if we wanted to.
- Kevin
More information about the bind-users
mailing list