How to look up my NS and glue information in root zone files?

John Manly jwmanly at amherst.edu
Thu Feb 19 14:02:31 UTC 2004


Hello.  I have a question about how my initial NS record information
gets stored in the root zone files, and how I can check
to make sure that it's right.  I thought I could use DIG for this, but
I'd like someone out there to confirm that this really
does what I think it does.

In the top-level zone file for one of my DNS zones (AMHERST.EDU) , I
have the following four NS records:

               IN      NS      ns.amherst.edu.
               IN      NS      dnsauth1.sys.gtei.net.
               IN      NS      dnsauth2.sys.gtei.net.
               IN      NS      dnsauth3.sys.gtei.net.

So when I do a "dig @ns.amherst.edu amherst.edu ns +norecurse", the
result I get looks includes this:

;; ANSWER SECTION:
amherst.edu.            3600     IN      NS      dnsauth2.sys.gtei.net.
amherst.edu.            3600     IN      NS      dnsauth3.sys.gtei.net.
amherst.edu.            3600     IN      NS      ns.amherst.edu.
amherst.edu.            3600     IN      NS      dnsauth1.sys.gtei.net.

What I want to verify is that the NS records listed above are also what
are listed in the master zone file for the EDU domain.
So I try this: "dig @a.root-servers.net amherst.edu ns +norecurse", but
what I get is the following (partial):

;; AUTHORITY SECTION:
edu.                    172800  IN      NS      L3.NSTLD.COM.
edu.                    172800  IN      NS      D3.NSTLD.COM.
edu.                    172800  IN      NS      A3.NSTLD.COM.
edu.                    172800  IN      NS      E3.NSTLD.COM.
edu.                    172800  IN      NS      C3.NSTLD.COM.
edu.                    172800  IN      NS      F3.NSTLD.COM.
edu.                    172800  IN      NS      G3.NSTLD.COM.
edu.                    172800  IN      NS      B3.NSTLD.COM.
edu.                    172800  IN      NS      M3.NSTLD.COM.

This answer suggests that the .EDU top-level domain has been delegated
to the above servers. =20
So I then try: "dig @L3.NSTLD.COM amherst.edu ns +norecurse", and in
fact I get back the following:

;; ANSWER SECTION:
amherst.edu.            172800  IN      NS      NS.amherst.edu.
amherst.edu.            172800  IN      NS      DNSAUTH1.SYS.GTEI.NET.
amherst.edu.            172800  IN      NS      DNSAUTH2.SYS.GTEI.NET.
amherst.edu.            172800  IN      NS      DNSAUTH3.SYS.GTEI.NET.

This appears to indicate that the NS records stored for my domain in
fact match mine.  My question: is=20
that really what the above DIG command shows?  Does a DIG command
against one of these top-level
servers really show me what is stored in the top-level zone files for my
NS records, or does this=20
information get overlaid somehow with the records that are actually in
my own zone file?

Another way of asking this: if I want to change my list of NS records, I
presumably have to somehow
notify the top-level zone authorities so that they can make
corresponding changes in the top-level
zone files.  How can I verify that that has actually been done?  (For
that matter, how do I verify
that the glue A records have been set correctly at that upper level?)

Thanks!

-- John W. Manly  <jwmanly at amherst.edu>
   Systems and Networking, Amherst College





More information about the bind-users mailing list