[dns-operations] DNS zone without an SOA or NS records
Mark Andrews
marka at isc.org
Wed Jul 20 22:06:03 UTC 2011
In message <alpine.LFD.1.10.1107201522020.31716 at newtla.xelerance.com>, Paul Wou
ters writes:
> On Wed, 20 Jul 2011, Chuck Anderson wrote:
>
> > Is it valid to have a DNS zone that serves only A records, but does
> > not contain any SOA or NS recods?
> >
> > Isilon (a network storage appliance) apparently does this and wants a
> > DNS delegation to it to handle the built-in load-balancing/failover
> > that it does.
> >
> > e.g. if you have a zone example.com, and you want to serve files from
> > the Isilon device with a name of files.example.com, then Isilon wants
> > you to put this in example.com:
> >
> > $ORIGIN example.com.
> > files IN NS files-sip.example.com.
> > files-sip IN A 192.168.1.100
> >
> > But when you try to query 192.168.1.100, no answers are returned for
> > SOA or NS--only A queries are responded to.
>
> It's invalid. And it breaks any resolver that tries to verify glue/hints.
> Some Cisco load balancers do the same thing. And they also don't respond
> to NS records. It broke a large bank DNS setup when using unbound with any
> kind of hardening enabled. This hardening for example is defined in
>
> http://tools.ietf.org/html/draft-wijngaards-dnsext-resolver-side-mitigation-0
> 1
>
> > Is that compliant with DNS standards (I think not)? If not, can
> > someone please point me to the relevant standard where is says there
> > must be an SOA and NS record?
>
> > More importantly, what are the ramifications of not having any SOA or
> > NS records in the zone?
>
> It breaks, and some clients wont be able to reach your service.
>
> Paul
Additionally the NS records MUST be there for a DNSSEC validator
to deal with the grandparent problem.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list