scope of zone files

Brad Knowles brad.knowles at skynet.be
Mon Jul 2 16:29:19 UTC 2001 

At 9:18 AM +0000 7/2/01, Ian Marsh wrote:

>    I wonder if someone can clear something up for me regarding the 'scope' of
>  zone files. I have just started looking at how we can tidy up our DNS
>  configuration and I think there could be room for improvment with the
>  'hants.sch.uk' domains that we run. Here's the problem:
>
>    The 'hants.sch.uk' domain is owned by Nominet and they have no intension
>  of releasing it to us (which is fair enough I guess). However, we do have a
>  signifcant number 'sub' domains delegated to us.

	Well, the domain "hants.sch.uk" does not appear to be a proper 
zone -- it does not have an SOA or set of NS records:

% dnswalk -alF hants.sch.uk.
Checking hants.sch.uk.
BAD: SOA record not found for hants.sch.uk.
BAD: hants.sch.uk. has NO authoritative nameservers!
BAD: All zone transfer attempts of hants.sch.uk. failed!
0 failures, 0 warnings, 3 errors.

	So, this domain is being managed directly from the sch.uk zone, 
which appears to be clean:

% doc -d sch.uk
Doc-2.2.2: doc -d sch.uk
Doc-2.2.2: Starting test of sch.uk.   parent is uk.
Doc-2.2.2: Test date - Mon Jul  2 12:17:07 EDT 2001
DEBUG: digging @ns.eu.net. for soa of uk.
soa @ns.eu.net. for uk. has serial: 2001032001
DEBUG: digging @ns.uu.net. for soa of uk.
soa @ns.uu.net. for uk. has serial: 2001032001
DEBUG: digging @ns0.ja.net. for soa of uk.
soa @ns0.ja.net. for uk. has serial: 2001032001
DEBUG: digging @ns1.nic.uk. for soa of uk.
soa @ns1.nic.uk. for uk. has serial: 2001032001
SOA serial #'s agree for uk. domain
Found 7 NS and 7 glue records for sch.uk. @ns.eu.net. (AUTH)
Found 7 NS and 3 glue records for sch.uk. @ns.uu.net. (non-AUTH)
Found 7 NS and 7 glue records for sch.uk. @ns0.ja.net. (AUTH)
Found 7 NS and 2 glue records for sch.uk. @ns1.nic.uk. (AUTH)
DNServers for uk.
    === 3 were also authoritatve for sch.uk.
    === 1 were non-authoritative for sch.uk.
Servers for uk. that are also authoritative for sch.uk.
    === agree on NS records for sch.uk.
NS lists for sch.uk. from all uk. servers are identical
    === (both authoritative and non-authoritative for sch.uk.)
DEBUG: domserv = ns-nom.pipex.net. ns.eu.net. ns0.ja.net. 
ns1.cs.ucl.ac.uk. ns1.nic.uk. ns1.surfnet.nl. sec1.dns.uk.psi.net.
DEBUG: domservaa = ns-nom.pipex.net. ns.eu.net. ns0.ja.net. 
ns1.cs.ucl.ac.uk. ns1.nic.uk. ns1.surfnet.nl. sec1.dns.uk.psi.net.
NS list summary for sch.uk. from parent (uk.) servers
   == ns-nom.pipex.net. ns.eu.net. ns0.ja.net.
   == ns1.cs.ucl.ac.uk. ns1.nic.uk. ns1.surfnet.nl.
   == sec1.dns.uk.psi.net.
digging @ns-nom.pipex.net. for soa of sch.uk.
soa @ns-nom.pipex.net. for sch.uk. serial: 2001070201
digging @ns.eu.net. for soa of sch.uk.
soa @ns.eu.net. for sch.uk. serial: 2001070201
digging @ns0.ja.net. for soa of sch.uk.
soa @ns0.ja.net. for sch.uk. serial: 2001070201
digging @ns1.cs.ucl.ac.uk. for soa of sch.uk.
soa @ns1.cs.ucl.ac.uk. for sch.uk. serial: 2001070201
digging @ns1.nic.uk. for soa of sch.uk.
soa @ns1.nic.uk. for sch.uk. serial: 2001070201
digging @ns1.surfnet.nl. for soa of sch.uk.
soa @ns1.surfnet.nl. for sch.uk. serial: 2001070201
digging @sec1.dns.uk.psi.net. for soa of sch.uk.
soa @sec1.dns.uk.psi.net. for sch.uk. serial: 2001070201
SOA serial #'s agree for sch.uk.
Authoritative domain (sch.uk.) servers agree on NS for sch.uk.
NS list from sch.uk. authoritative servers matches list from
   === all parent (uk.) servers
Checking 0 potential addresses for hosts at sch.uk.
   ==
Summary:
    No errors or warnings issued for sch.uk.
Done testing sch.uk.  Mon Jul  2 12:17:11 EDT 2001


	Unfortunately, when trying to run both "dnswalk" and "DNS Expert" 
on the sch.uk zone, I get "out of memory" errors (doing a manual zone 
transfer, I get back 60318 lines, of which ".hants." matches 1566 
lines).

>    My question is... Is it OK to setup a zone in named.conf for
>  'hants.sch.uk' or do I have to setup individual zones for
>  'site1.hants.sch.uk', 'site2...' etc? (we currently have the latter) Things
>  would be easier to manage with just the one zone file but I'm unclear on
>  whether this is allowed/safe or not.

	No, you should not do this -- not under any circumstances whatsoever.

	The situation would be no better than you setting up a nameserver 
that claimed to be authoritative for all of ".com" or ".co.uk", and 
then listing itself (or sub-delegating) some zones within that.  If 
this information ever leaked out of your nameservers, it could cause 
havoc for anyone else who might want to access other legitimate zones 
within the parent zone that you would be illegally claiming that you 
own.


	Sorry, guy.  You just have to do this the hard way, unless you 
can get the registrar for sch.uk to delegate all of hants.sch.uk to 
you.

-- 
Brad Knowles, <brad.knowles at skynet.be>

/*        efdtt.c  Author:  Charles M. Hannum <root at ihack.net>          */
/*       Represented as 1045 digit prime number by Phil Carmody         */
/*     Prime as DNS cname chain by Roy Arends and Walter Belgers        */
/*                                                                      */
/*     Usage is:  cat title-key scrambled.vob | efdtt >clear.vob        */
/*   where title-key = "153 2 8 105 225" or other similar 5-byte key    */

dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'

More information about the bind-users mailing list