[dns-operations] Delegation inconsistency

Mark Andrews Mark_Andrews at isc.org
Sun Apr 30 23:08:42 UTC 2006 

> * John Kristoff:
> 
> > I was curious if in the strictest sense whether differing TTLs between
> > the parent and child constitute an error.  The only discussion I found
> > that seemed to indicate this might be a real problem was at the top of
> > this page:
> >
> >   <http://lancelot.cs.ucla.edu/dns/zones/spider/errors.html>
> 
> Interesting.  A colleague of mine recently stumbled across a
> particular destructive inconsistency while testing some software in
> the shady corners of DNS.
> 
> The parent zone parent.example. contains this delegation:
> 
>   child     172800 IN NS  ns.child
>   ns.child  172800 IN A   192.0.2.1
> 
> And the child zone contains:
> 
>             172800 IN NS  ns1
>    ns1      172800 IN A 192.0.2.1
> 
> And some other records, but no record for ns.child.parent.example.
> Tthis means that if I ask a resolver for ns.child.parent.example. IN
> A, the resolver caches the Name Error for that name, and the zone is
> inaccessible (more precisely, no new records can be added to the
> cache) until this information expires from the cache.  Without the
> explicit query, the referral is used, and everything appears to work
> as usual.
> 
> Maybe this is a BIND-9-specific issue, but it seems difficult to do
> this differently when you prefer in-zone data over the information
> learned from referrals.

	No.  It's not a BIND 9 specific issue.  It is very visible
	when you have a IPv6 capable iterative resolver.  BIND 9
	and BIND 8.4 are IPv6 capable iterative resolvers.  They
	ask for both A and AAAA records and give that most of the
	glue is A records they see into the child zone more often
	than IPv4 only iterative resolvers.

	There are similar problems with zone for which there are
	only glue address records.

	CNAMEs cause similar problems.

	A lot of these problems would go away if registrars / registries
	checked the child zone before accepting changes.

	Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the dns-operations mailing list