[dns-operations] DNS zone without an SOA or NS records
Paul Wouters
paul at xelerance.com
Wed Jul 20 19:29:41 UTC 2011
On Wed, 20 Jul 2011, Chuck Anderson wrote:
> Is it valid to have a DNS zone that serves only A records, but does
> not contain any SOA or NS recods?
>
> Isilon (a network storage appliance) apparently does this and wants a
> DNS delegation to it to handle the built-in load-balancing/failover
> that it does.
>
> e.g. if you have a zone example.com, and you want to serve files from
> the Isilon device with a name of files.example.com, then Isilon wants
> you to put this in example.com:
>
> $ORIGIN example.com.
> files IN NS files-sip.example.com.
> files-sip IN A 192.168.1.100
>
> But when you try to query 192.168.1.100, no answers are returned for
> SOA or NS--only A queries are responded to.
It's invalid. And it breaks any resolver that tries to verify glue/hints.
Some Cisco load balancers do the same thing. And they also don't respond
to NS records. It broke a large bank DNS setup when using unbound with any
kind of hardening enabled. This hardening for example is defined in
http://tools.ietf.org/html/draft-wijngaards-dnsext-resolver-side-mitigation-01
> Is that compliant with DNS standards (I think not)? If not, can
> someone please point me to the relevant standard where is says there
> must be an SOA and NS record?
> More importantly, what are the ramifications of not having any SOA or
> NS records in the zone?
It breaks, and some clients wont be able to reach your service.
Paul
More information about the dns-operations
mailing list