NS record question

Bob Vance bobvance at alumni.caltech.edu
Mon Mar 26 19:39:40 UTC 2001 

Roy said:
>In the parent zone, there _has_ to be delegation records for the child
>zone in any scenario, they should be identical copy of the NS records
in
>the childs apex.

Actually, it appears that you do *not* have to have the NS records in
the parent zone *file*, though -- only in the child zone *file*.

This makes sense because, the NS records defined in child zone file will
show up in the servers cache anyway, since it's on the same server.

Thus, the NOTIFY issue that I raised couldn't actually exist -- the
primary *will* have the NS records for the child zone, like it or not :)


Thus I would say that the answer to the original question:

> Should I have NS records for a delegated zone even if the delegation
is on
> the same nameserver?
> ---
> db.mydomain.com
> @	IN SOA ns.mydomain.com root.mydomain.com ( ... )
> 	IN NS ns.mydomain.com.
> 	IN NS ns1.mydomain.com.
>
> zone1	IN NS ns.mydomain.com.		#	should these lines be here
> zone1	IN NS ns2.mydomain.com		#

is,
   "No.  You are not *required* to enter them into the parent zone file.
    They will appear from the child zone file.
    You *must* have the NS records in the child zone file or it will not
load.
   "

This would be a good thing in the sense of defining the records in only
on place.  But, of course, puts obfuscation above readability and
understanding :)


-------------------------------------------------
Tks        | <mailto:BVance at sbm.com>
BV         | <mailto:BobVance at alumni.caltech.edu>
Sr. Technical Consultant,  SBM, A Gates/Arrow Co.
Vox 770-623-3430           11455 Lakefield Dr.
Fax 770-623-3429           Duluth, GA 30097-1511
=================================================





-----Original Message-----
From: bob vance
Sent: Monday, March 26, 2001 2:07 PM
To: blst
Subject: RE: NS record question


Oops.  Accidentally sent too soon :|

>There is no NOTIFY issue. Notifies get sent to slave servers, not to
child
>zones. This discussion was about omitting NS records for delegation
when
>child is hosted from the same server. Not a discussion about the NS
record
>residing and a zones apex.

My point was that if you had a secondary server for the sub-zone, which
would otherwise work correctly (even without the NS records) for lookup
requests to that sub-zone, but there were no NS records, then the
secondary would not get NOTIFYed when changes were made on the primary.
At least, I thought that was correct -- that the primary uses the NS
records to decide whom to NOTIFY.

Besides, you were the one that brought up secondary servers :)


-------------------------------------------------
Tks        | <mailto:BVance at sbm.com>
BV         | <mailto:BobVance at alumni.caltech.edu>
Sr. Technical Consultant,  SBM, A Gates/Arrow Co.
Vox 770-623-3430           11455 Lakefield Dr.
Fax 770-623-3429           Duluth, GA 30097-1511
=================================================





-----Original Message-----
From: roy at node10c4d.a2000.nl [mailto:roy at node10c4d.a2000.nl]On Behalf Of
Roy Arends
Sent: Monday, March 26, 2001 1:33 PM
To: Bob Vance
Cc: bind-users at isc.org
Subject: RE: NS record question


On Mon, 26 Mar 2001, Bob Vance wrote:

> I had noticed that creating a sub-zone on the same server without
> delegation worked in the simple environment of my home network with
only
> one nameserver.  I later went ahead and did the delegation to itself
> when I realized my omission, but it got me to wondering about the same
> thing.
>
> So I'm also trying to figure out exactly where it breaks down.
> A secondary server should be authoritative and he knows how to get
zone
> transfers done, so he should be able to answer OK without NS records.

This is not so much a zone-transfer issue. He indeed should be OK when
asked for information from its zone. But consider the following:

3 nameservers: 1.1.1.1, 2.2.2.2 and 3.3.3.3

3 zones: "mil." "army.mil." and "navy.mil.", No NS records at .mil for
army.mil. and navy.mil.

1.1.1.1 is master for "mil."
1.1.1.1 is master for "army.mil."
1.1.1.1 is master for "navy.mil."

2.2.2.2 is slave for "mil."
2.2.2.2 is slave for "army.mil."

3.3.3.3 is slave for "mil."
3.3.3.3 is slave for  "navy.mil."

When a resolve queries root for "ship.navy.mil.", root refers to
1.1.1.1,
2.2.2.2 and 3.3.3.3 for the "mil." domain.

A resolver chooses on of those, say 2.2.2.2.

When a resolver queries 2.2.2.2 for "ship.navy.mil.", 2.2.2.2 wil not
refer to 3.3.3.3, there are no NS records for childzones in the .mil
zone,
because parent and child are hosted on the same server. Now, the
resolver
hangs in the blue, depressed and lonely, cause no-one can answer its
question. Even worse, it will get authoritative a "NXDOMAIN" back.

> Another server somewhere trying to get sub-zone.foo.com would be
> referred to the nameserver(s) for foo.com. -- but then he (or they)
> would know that they are authoritative for sub-zone.foo.com and should
> answer.
>
> Right?
>
> I guess without the NS records there would be a NOTIFY issue.

There is no NOTIFY issue. Notifies get sent to slave servers, not to
child
zones. This discussion was about omitting NS records for delegation when
child is hosted from the same server. Not a discussion about the NS
record
residing and a zones apex.

Regards,

Roy Arends
Nominum

More information about the bind-users mailing list