[dns-operations] Knot and NSD handling names below DNAME incorrectly
Edward Lewis
edward.lewis at icann.org
Sun Apr 3 16:03:10 UTC 2016
On 4/3/16, 12:13, "dns-operations on behalf of Anand Buddhdev"
<dns-operations-bounces at dns-oarc.net on behalf of anandb at ripe.net> wrote:
>BIND is being lenient in what it accepts, and conservative in what
>responses it sends out. Since it keeps all the records in memory, it
>will provide these occluded names in an AXFR.
A long time ago, Mark Andrews made a statement that is pertinent, the
statement was to this effect:
A reason not to delete/forget names that are occluded is that the addition
of the NS or DNAME may have been inadvertent. Let's say TLD xx as an
empty non-terminal at co.xx with a million delegations below co.xx, if
someone were to add a NS at co.xx then there'd be a million deletes to
carry out, followed by a removal of the co.xx and then a million adds to
carry out. Instead, holding the names and ignoring them in requests
(except for XRF's and other zone management functions) means that the
operator can fix the mistake simply by removing the errant NS at co.xx.
I.e., it's safer for zone operators to keep the cruft in. This is
documented in section 3.5 ("Occluded Names") in "DNS Zone Transfer
Protocol (AXFR)" aka RFC 5936 [http://www.rfc-editor.org/rfc/rfc5936.txt]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4604 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160403/8e76f5a6/attachment.bin>
More information about the dns-operations
mailing list