[dns-operations] Delegation inconsistency

Florian Weimer fw at deneb.enyo.de
Thu Apr 27 18:23:46 UTC 2006

* John Kristoff:

> I was curious if in the strictest sense whether differing TTLs between
> the parent and child constitute an error.  The only discussion I found
> that seemed to indicate this might be a real problem was at the top of
> this page:
>   <http://lancelot.cs.ucla.edu/dns/zones/spider/errors.html>

Interesting.  A colleague of mine recently stumbled across a
particular destructive inconsistency while testing some software in
the shady corners of DNS.

The parent zone parent.example. contains this delegation:

  child     172800 IN NS  ns.child
  ns.child  172800 IN A

And the child zone contains:

            172800 IN NS  ns1
   ns1      172800 IN A

And some other records, but no record for ns.child.parent.example.
Tthis means that if I ask a resolver for ns.child.parent.example. IN
A, the resolver caches the Name Error for that name, and the zone is
inaccessible (more precisely, no new records can be added to the
cache) until this information expires from the cache.  Without the
explicit query, the referral is used, and everything appears to work
as usual.

Maybe this is a BIND-9-specific issue, but it seems difficult to do
this differently when you prefer in-zone data over the information
learned from referrals.

More information about the dns-operations mailing list