[dns-operations] Broken delegation

Paul Vixie paul at redbarn.org
Sun Mar 9 16:45:12 UTC 2014

Dave Warren wrote:
> On 2014-03-08 14:08, Paul Vixie wrote:
>> in general, delegations have to meet only two conditions. first, every
>> name server that's designated by an NS RR above or below a delegation
>> point has to be authoritative. second, the set of NS RR's below a
>> delegation point (so, at the zone apex) has to be equal to or a superset
>> of the set of NS RR's above that delegation point (so, the parent's
>> zone-leaf).
> So what actually breaks if a zone contains a subset of the NS? Or an
> alternate set of authoritative servers completely?

nothing breaks, but the non-overlapping servers will still get a lot of
queries, and those queries will repeat faster if the answer is SERVFAIL,
so it's pretty painful. in other words you can't improve your situation
by not listing at the apex all servers named in the parent's delegation,
but you can make everybody's situation worse by pretending that this
helps you if under that pretense you stop serving the zone from the
non-overlapping servers.

>> note that scraping the TLD's isn't a reliable way to find all the
>> invocations of your NS RR name, partly because not all TLD's have ZFA,
>> and partly because not all delegations are in TLD's. passive DNS is your
>> better answer here.
> Given that I already have a list of zones that are on the server now,
> I'm not really sure how passive DNS would help, although I may be
> missing something obvious -- The goal isn't to discover the list of
> zones, I have that list already; my goal is to discover the NS records
> that are delegating to zones that I now control so that I can match
> those NS records within the zone itself, ensuring that my zone equals
> or contains a superset of the appropriate NS records.

ah ok. i thought you needed clarity on the list of zones using a name
server, so my example was wrong-headed.


More information about the dns-operations mailing list