DNS External/Internal Shadow Domains?

Cricket Liu cricket at acmebw.com
Sat Nov 13 06:38:00 UTC 1999


> The fly in the ointment here is root NS queries. I have discovered that
> whenever a nameserver configured in this "hybrid" way gets a root NS
query,
> it'll overlay it's existing root NS data with the answer to that query.

That's always been the case.  A "live" response that includes the current
list of root name servers has always been better than the possibly outdated
contents of the root hints file.

> Moreover, if the upstream forwarder has the "rfc2308-type1" option turned
on,
> then a query for *any* non-existent TLD would theoretically send back
> Internet root NS'es which would "poison" the internal roots. When internal
> queries are made prior to the first root NS query, the internal NS data
gets
> cached and everything *seems* to work, which is what fooled me at first,
but
> then when the first root NS query rolls in, it all falls apart.

That's what I've been trying to explain.

> Frankly, I think this is a BIND bug. The whole point of configuring a
hints
> file is to take advantage of iteration, so root NS data obtained via a
hints
> file shouldn't be overwritten by the answer to a non-iterative query. In
the
> presence of a hints file, BIND should either not cache the results of a
> forwarded root NS query at all, or it should cache those entries
separately
> from the ones it uses for referrals.

I don't think the occasional negative responses that include the root
name servers in the authority section are your real problem.  I think the
system query, which every name server does after startup, is the culprit.
And you certainly want the results of the system query to supercede the
root hints file.

> And the really annoying part is that you can't even get around this by
making
> the server a slave to the internal root zone; that seems to cancel global
> forwarding, even though technically it shouldn't.

No, technically, it should.  Root name servers see the world as what's in
the root zone and below.  Diamler-Chrysler's root zone may include
delegation to several carmakers' zones now, but it doesn't include
delegation to, for example, the ls TLD.  Consequently, as far as the
root name server is concerned, ls doesn't exist.  And there's no reason
to forward a query for a domain name you know doesn't exist.

cricket

Acme Byte & Wire
cricket at acmebw.com
www.acmebw.com

Attend the next Internet Software Consortium/Acme Byte & Wire
DNS and BIND class!  See www.acmebw.com/training.htm for
the schedule and to register for upcoming classes.




More information about the bind-users mailing list