[dns-operations] Knot and NSD handling names below DNAME incorrectly
Matthew Pounsett
matt at conundrum.com
Mon Apr 4 14:44:20 UTC 2016
> On Apr 3, 2016, at 12:13, Anand Buddhdev <anandb at ripe.net> wrote:
>
> On 03/04/16 08:23, Matthew Pounsett wrote:
>
>>> No. If you do that you break what is returned if the DNAME is removed via
>>> IXFR. Slaves need to transmit the entire zone content as learnt.
>>
>> Wouldn't that cause the A record to no longer be occluded, and
>> therefore show up in the same IXFR where the DNAME is removed?
>
> However, if the zone operator uses dynamic update to remove these DNAME
> or NS records, BIND records that change in a journal, and serves up
> IXFRs from this journal. The dynamic update will not trigger
> re-evaluation of all the other names in the zone, to see if they need to
> be occluded or revealed. That would probably cost a lot of computation
> for large zones.
Yeah, that makes a lot of sense. Especially considering the explicit instructions in the RFC later in this thread. BIND is definitely doing the right thing here.
More information about the dns-operations
mailing list