Why do some parent NSs "lie" about delegation records?

Simon Hobson shobson0309 at colony.com
Wed Jan 7 14:28:07 UTC 2004 

Len Conrad wrote:

>(this point is beside the point of my "lie" question: the zone NS records
>are locally administered and in practice NOT as credible, are prone to
>local admin errors than are the parent NS glue records, which have been
>"filtered" through "host registration" process to arrive at the registry
>and into the parent NSs.

With that I disagree. The 'filtering' says nothing about accuracy, 
other than some very basic sanity checks, and also says nothing about 
whether the server specified actually has any data for the zone. I 
actually have a domain name where one of the listed servers does not 
exist at all, simply because it's something I'm doing some 
experimenting with and I've not bothered setting the second one up 
(yet).

The CORRECT, and authoritative data is that held in the zone, and 
hence at the child. The only reason for having the glue at all is to 
allow resolvers to locate a child server, any child server. Lookups 
will still work if the glue records at the parent don't match those 
in the child as long as at least one child server is correctly 
identified. Obviously the system works best when the the parent and 
child agree on the NS records !

>While technically, the auth DNS answers 'aa' for
>the NS query, in practice the non 'aa' NS records received the zone parent
>are more accurate, and predominantly the records actually used by resolvers)

The non-authoritative glue records are only used to find a child, and 
are included only to avoid the catch 22 situation of needing to 
contact the child to get a the NS records that will allow you to 
contact it. The child should respond in it's queries with 
authoritative NS records which should replace any other data cached 
by the resolving client.

The fact that a lcoal administrator may screw things up is immaterial 
- just because they can screw things up doesn't make that data any 
less authoritative. And remember that do do anything useful, the 
other records in the one need to be there and correct as well - so if 
you trust an admin to have those, you should trust them to do the NS 
records (if they don't then it's their system that breaks).

Simon

-- 

NOTE: This is a throw-away email address which will reach me for as 
long as it stays spam-free, remove date for real address.

Simon Hobson, Technology Specialist
Colony Gift Corporation Limited
Lindal in Furness, Ulverston, Cumbria, LA12 0LD
Tel 01229 461100, Fax 01229 461101

Registered in England No. 1499611
Regd. Office : 100 New Bridge Street, London, EC4V 6JA.

More information about the bind-users mailing list