[dns-operations] Another possible .gov validation problem?
Ed.Lewis at neustar.biz
Mon Feb 14 14:29:33 UTC 2011
At 8:15 +0000 2/14/11, George Barwood wrote:
>The practical issue here is detecting that there actually IS a problem.
Even if name server code evolved to look at inter-zone implications
as 2181 hints towards, this would not eliminate the problem of
NXDOMAIN vs. SERVFAIL.
>In another context (glue), RFC 2181 says this
> Where a server can detect from two zone files
> that one or more are incorrectly configured, so as to create
> conflicts, it should refuse to load the zones determined to be
> erroneous, and issue suitable diagnostics.
Even if this happened, it would not find this situation:
Machine A has zone X
Machine B has zone X and zone A.B.X
Machine C has zone B.X
In B.X there is no delegation to A.B.X.
Queries to A would return NXDOMAIN for WWW.A.B.X.
Queries to B would *result* in SERVAIL for WWW.A.B.X. when validated
by a recursive server.
The deal here is that Machine B does not have the middle zone and
doesn't know A.B.X is illegitimate. The unstated principle tha plays
a role in this is that no server contacts any other server during the
loading phase, for performance reasons. So Machine B won't
"discover" what's in Machine C.
NeuStar You can leave a voice message at +1-571-434-5468
Me to infant son: "Waah! Waah! Is that all you can say? Waah?"
More information about the dns-operations