[dns-operations] Are IANA GlueCoherencyCheck for authoritative name servers correct?

Klaus Darilion klaus.mailinglists at pernau.at
Sat Dec 21 11:52:06 UTC 2013 

Hi!

I have some questions about the IANA checks for name servers, especially 
this one:

 >
 >> - GlueCoherencyCheck
 >>
 >> - The A and AAAA records [] returned from the authoritative name server
 >> [B.DNS.NIC.WIEN] are not the same as the supplied glue records
 >> [193.170.61.4, 2001:62A:A:2000:0:0:0:4].
 >> - The A and AAAA records [] returned from the authoritative name server
 >> [A.DNS.NIC.WIEN] are not the same as the supplied glue records
 >> [194.0.25.15, 2001:678:20:0:0:0:0:15].
 >> - The A and AAAA records [] returned from the authoritative name server
 >> [C.DNS.NIC.WIEN] are not the same as the supplied glue records
 >> [193.170.187.4, 2001:62A:A:3000:0:0:0:4].

I think this is related to this requirement:

 > Consistency between glue and authoritative data
 > For name servers that have IP addresses listed as glue, the IP 
addresses must match the authoritative A and AAAA records for that host.

TLD Zone: wien
Name Servers: a.dns.nic.wien, b.dns.nic.wien, c.dns.nic.wien.

Currently, the TLD name servers do not provide glue records for itself.

# dig @194.0.25.15 wien ns +nostat
;; QUESTION SECTION:
;wien.                          IN      NS
;; ANSWER SECTION:
wien.                   14400   IN      NS      a.dns.nic.wien.
wien.                   14400   IN      NS      b.dns.nic.wien.
wien.                   14400   IN      NS      c.dns.nic.wien.

I think this i correct, because nic.wien is delegation:

# dig @194.0.25.15 a.dns.nic.wien.
;; QUESTION SECTION:
;a.dns.nic.wien.                        IN      A
;; AUTHORITY SECTION:
nic.wien.               14400   IN      NS      sec1.rcode0.net.
nic.wien.               14400   IN      NS      sec2.rcode0.net.

And these name servers provide the answers:

# dig @sec1.rcode0.net. a.dns.nic.wien.
;; QUESTION SECTION:
;a.dns.nic.wien.                        IN      A
;; ANSWER SECTION:
a.dns.nic.wien.         3600    IN      A       194.0.25.15


I think the name servers for .wien are correctly configured, and the 
IANA GlueCoherencyCheck check is wrong, as the TLD name servers are not 
authoritative for a/b/c.dns.nic.wien. So, the GlueCoherencyCheck is 
wrong and should resolve a/b/c.dns.nic.wien not only by aksing the name 
servers, but by following the referal.

What do you think?

Thanks
Klaus

More information about the dns-operations mailing list