NS record question

Bob Vance bobvance at alumni.caltech.edu
Mon Mar 26 21:33:47 UTC 2001 

Thanks for your patience, Roy.
This has been very beneficial to me (and hopefully others as well) !


> NS records at the
>child zone have a SIG from the child's zone KEY. This is why there has
to
>be a distinction between NS records at parent and child.

Well, there you go -- that was the missing piece.

You're obviously involved knee-deep (if not higher :) in BIND 9 issues,
but it might behoove you to remember that most of us have not upgraded
to 9 yet :)
I was thinking entirely BIND8 (vis-a-vis the NS RR thingy), since that's
as high as I've actually implemented, while you clearly had BIND9 on the
brain :)

So, the bottom line is "Do the right thing" and you'll be OK (or at
least better off :)

Now, off to read the RFC.

-------------------------------------------------
Tks        | <mailto:BVance at sbm.com>
BV         | <mailto:BobVance at alumni.caltech.edu>
Sr. Technical Consultant,  SBM, A Gates/Arrow Co.
Vox 770-623-3430           11455 Lakefield Dr.
Fax 770-623-3429           Duluth, GA 30097-1511
=================================================





-----Original Message-----
From: roy at node10c4d.a2000.nl [mailto:roy at node10c4d.a2000.nl]On Behalf Of
Roy Arends
Sent: Monday, March 26, 2001 4:44 PM
To: Bob Vance
Cc: sbm-BIND-L (E-mail)
Subject: RE: NS record question


On Mon, 26 Mar 2001, Bob Vance wrote:

> >2) the set of slaves for both zones are identical AND
>
> Hmm. I don't see why this matters -- I'll have to cogitate on it for a
> while.

When they have not the same slaves specified, for instance parent has
slave A and child has slave B, then slave A does not have the zone-cut
records, when they are omitted from the parent. Any query for a child of
a zone, asked to slave A, will result in an NXDOMAIN.

> >3) your using bind-8, which can not differ apex and zone-cut records
> AND
>
> Ahh.
> Yeah, I'm using BIND 8.2.3.
> We're obviously getting into water that's way over my head, here :)
> That would explain why the NS records showed up fine for me, vis-a-vis
> BIND8, when they only appeared in the child zone file.  I didn't
realize
> that there had already been an issue of distinguishing the two types
of
> NS records that has been addressed in BIND9.
>
> Is this issue discussed in the docs or is there a URL that has info on
> this issue?

RFC 2535, 2.3.4 and you might want to check namedroppers. BIND-9 was
build with DNSSEC in mind. When using DNSSEC, every single record in the
zone has its own SIG, created by the zone's zone-KEY. NS records at the
child zone have a SIG from the child's zone KEY. This is why there has
to
be a distinction between NS records at parent and child.

Regards,

Roy Arends
Nominum

More information about the bind-users mailing list