zone files for subdomains...

Jim Reid jim at rfc1035.com
Sun Sep 14 14:36:03 UTC 2003 

>>>>> "Jeff" == Jeff Lasman <jblists at nobaloney.net> writes:

    Jeff> However, the programmers who wrote DirectAdmin do it
    Jeff> slightly differently...

    Jeff> Whenever I set up a domain such as sub.example.com, they
    Jeff> automatically set up a new zone file for it, but they don't
    Jeff> delegate in the master (such as example.com).

Failing to make the delegation in the parent is completely and utterly
wrong.

    Jeff> They tell me it's not necessary to do it the way I've been
    Jeff> doing it, that bind will always search for the specific
    Jeff> domain first in the conf file and if it finds a reference
    Jeff> for it, it will use that zone file.

    Jeff> Are they right?  Is the behavior documented and likely to
    Jeff> continue in future releases?  Is it "reasonable" for them to
    Jeff> make the presumption?

No, it's not right. The authors of this software have a serious lack
of clue about how the DNS works. It would be very unwise to use a tool 
that's as badly broken as this.

If there's no delegation for some zone in its parent zone, that child
zone simply does not exist. End of story. It's purely a fluke that
things appear to work with the fundamentally broken scheme these guys
seem to have implemented. They are relying on all of the parent zone's
servers also serving the child zone. This may or may not be true. ie
When a resolving server looks up sub.example.com (say), they query the
example.com name servers who, luckily (or unluckily, depending on your
perspective), can answer for the name in sub.example.com that has
been looked up. This is a collection of accidents waiting to happen.

For instance, if sub.example.com got moved to another set of name
servers, nobody will be able to find them as no delegation info was
provided in the example.com zone. So sub.example.com would vanish from
the DNS. The zone would cease to exist because nobody was able to look
it up. If one of the example.com name servers didn't also serve
sub.example.com, queries to that server for sub.example.com would fail
with an NXDOMAIN -- no host/domain -- error. That would mean some
parts of the internet would see sub.example.com and others wouldn't,
depending on which name server for example.com they queried. Not only
would this be very bad, it would be a hard problem for inexperienced
administrators to troubleshoot.

More information about the bind-users mailing list