Bogus NS records and Chocolate Chip Cookies

Bill Larson wllarso at
Mon Dec 2 16:02:30 UTC 2002

aaron wrote:

> I'm still curious (not having a solid grasp of DNS) why this is an
> issue at all since there seems to be no functional impact on the
> server regardless of if the NS entry is valid or not.

The issue is consistancy.  Zones have a name server identified for them or it would
not be known which server is responsible for the zone information.  Since a zone must
have a server, the BIND software requires that an "NS" record be included in every
zone.  (I don't know if this requirement is codified in any RFC, but I don't see it
is RFC1035.)  Rather than make an exception because it has "no functional impact", it
is simpler to require a "NS" record in each zone.

A reason that it does not matter what host you identify for the "NS" record is that
since the "PTR" record is already known by (almost) every
server, there will be no need to actually look up the IP address for the server and
contact it to obtain this PTR record.  The "NS" record will be included as part of
the additional data returned as a response to a DNS query, but since the answer is
already known it will not be used.  So, identifying some host in an actual domain, or
using "localhost.", or creating a bogus name, will all work.

Personally, I feel that using "localhost." in this zone is more
appropriate than using either a real host or some invented hostname.  A zone file
using "localhost." can be moved to any server without modification.  Pulling a
hostname out of the air may work today, but this name may conflict with a real domain
sometime in the future.  So, why create one in the first place?

If you really want to think about "hacks", think about the zone
itself.  This zone is defined on every server (as you pointed out, this means that
every server ***IS*** authoritative for some DNS information) simply to insure that
the IP address is mapped back into the hostname "localhost".

In reference to this zone, to quote the bible ("DNS and BIND",
Paul Albitz & Cricket Liu, O'Reilly and Assc., 4th Ed., pgs 66-67):

    Why do name servers need this silly little file?  Think about it for a second.
    No one was give responsibility for network 127.0.0/24, yet systems use it
    for a loopback address.  Since no one has direct responsibility, everyone
    who uses it is responsible for it individually.  You could omit this file and
    your name server would operate.  However, a lookup of might
    fail because the root name server contacted wasn't itself configured to map to a name.  You should provide the mapping yourself so there
    are no suprises.

But, as is stated, you CAN omit this zone and your server will work, although some of
your applications may fail.

(I really didn't realize that the root servers are not configured for this zone.  I
just queried "" and confirmed this.  Interesting - but truely

Bill Larson

More information about the bind-users mailing list