NS record question

Bob Vance bobvance at alumni.caltech.edu
Mon Mar 26 19:03:42 UTC 2001 

>There is no NOTIFY issue. Notifies get sent to slave servers, not to
child
>zones. This discussion was about omitting NS records for delegation
when
>child is hosted from the same server. Not a discussion about the NS
record
>residing and a zones apex.

My point was that if you had a secondary server for the sub-zone, which
would otherwise work correctly (even without the NS records) for lookup
request to that sub-zone, but no NS records, then the secondary would
not get NOTIFYed when changes were made on the primary.


-------------------------------------------------
Tks        | <mailto:BVance at sbm.com>
BV         | <mailto:BobVance at alumni.caltech.edu>
Sr. Technical Consultant,  SBM, A Gates/Arrow Co.
Vox 770-623-3430           11455 Lakefield Dr.
Fax 770-623-3429           Duluth, GA 30097-1511
=================================================





-----Original Message-----
From: roy at node10c4d.a2000.nl [mailto:roy at node10c4d.a2000.nl]On Behalf Of
Roy Arends
Sent: Monday, March 26, 2001 1:33 PM
To: Bob Vance
Cc: bind-users at isc.org
Subject: RE: NS record question


On Mon, 26 Mar 2001, Bob Vance wrote:

> I had noticed that creating a sub-zone on the same server without
> delegation worked in the simple environment of my home network with
only
> one nameserver.  I later went ahead and did the delegation to itself
> when I realized my omission, but it got me to wondering about the same
> thing.
>
> So I'm also trying to figure out exactly where it breaks down.
> A secondary server should be authoritative and he knows how to get
zone
> transfers done, so he should be able to answer OK without NS records.

This is not so much a zone-transfer issue. He indeed should be OK when
asked for information from its zone. But consider the following:

3 nameservers: 1.1.1.1, 2.2.2.2 and 3.3.3.3

3 zones: "mil." "army.mil." and "navy.mil.", No NS records at .mil for
army.mil. and navy.mil.

1.1.1.1 is master for "mil."
1.1.1.1 is master for "army.mil."
1.1.1.1 is master for "navy.mil."

2.2.2.2 is slave for "mil."
2.2.2.2 is slave for "army.mil."

3.3.3.3 is slave for "mil."
3.3.3.3 is slave for  "navy.mil."

When a resolve queries root for "ship.navy.mil.", root refers to
1.1.1.1,
2.2.2.2 and 3.3.3.3 for the "mil." domain.

A resolver chooses on of those, say 2.2.2.2.

When a resolver queries 2.2.2.2 for "ship.navy.mil.", 2.2.2.2 wil not
refer to 3.3.3.3, there are no NS records for childzones in the .mil
zone,
because parent and child are hosted on the same server. Now, the
resolver
hangs in the blue, depressed and lonely, cause no-one can answer its
question. Even worse, it will get authoritative a "NXDOMAIN" back.

> Another server somewhere trying to get sub-zone.foo.com would be
> referred to the nameserver(s) for foo.com. -- but then he (or they)
> would know that they are authoritative for sub-zone.foo.com and should
> answer.
>
> Right?
>
> I guess without the NS records there would be a NOTIFY issue.

There is no NOTIFY issue. Notifies get sent to slave servers, not to
child
zones. This discussion was about omitting NS records for delegation when
child is hosted from the same server. Not a discussion about the NS
record
residing and a zones apex.

Regards,

Roy Arends
Nominum

More information about the bind-users mailing list