[dns-operations] Delegation inconsistency
Mark_Andrews at isc.org
Sun Apr 30 23:08:42 UTC 2006
> * John Kristoff:
> > I was curious if in the strictest sense whether differing TTLs between
> > the parent and child constitute an error. The only discussion I found
> > that seemed to indicate this might be a real problem was at the top of
> > this page:
> > <http://lancelot.cs.ucla.edu/dns/zones/spider/errors.html>
> Interesting. A colleague of mine recently stumbled across a
> particular destructive inconsistency while testing some software in
> the shady corners of DNS.
> The parent zone parent.example. contains this delegation:
> child 172800 IN NS ns.child
> ns.child 172800 IN A 192.0.2.1
> And the child zone contains:
> 172800 IN NS ns1
> ns1 172800 IN A 192.0.2.1
> And some other records, but no record for ns.child.parent.example.
> Tthis means that if I ask a resolver for ns.child.parent.example. IN
> A, the resolver caches the Name Error for that name, and the zone is
> inaccessible (more precisely, no new records can be added to the
> cache) until this information expires from the cache. Without the
> explicit query, the referral is used, and everything appears to work
> as usual.
> Maybe this is a BIND-9-specific issue, but it seems difficult to do
> this differently when you prefer in-zone data over the information
> learned from referrals.
No. It's not a BIND 9 specific issue. It is very visible
when you have a IPv6 capable iterative resolver. BIND 9
and BIND 8.4 are IPv6 capable iterative resolvers. They
ask for both A and AAAA records and give that most of the
glue is A records they see into the child zone more often
than IPv4 only iterative resolvers.
There are similar problems with zone for which there are
only glue address records.
CNAMEs cause similar problems.
A lot of these problems would go away if registrars / registries
checked the child zone before accepting changes.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the dns-operations