Legal redelegation method?
Kevin Darcy
kcd at daimlerchrysler.com
Fri May 21 00:46:45 UTC 2004
Chris De Young wrote:
>Hi,
>
>This is more of a DNS spec question than a question specific to bind;
>I apologize if this isn't the right forum for such. (If that's the
>case, pointers to the right place would be welcome.)
>
>Is it legal in DNS to re-delegate an entire zone for which one is
>authoritative, as opposed to a subdomain of it?
>
>For example, let's say that I am authoritative for arizona.edu (which
>I am). I've delegated a subdomain off to another nameserver:
>
>;
>$origin hacks.arizona.edu.
>@ in ns hacks.arizona.edu.
>@ in a 150.135.84.2
>;
>
>Is it legal for the nameserver at 150.135.84.2 to be configured with
>"hacks.arizona.edu" as a master zone, but then in the zone file have
>only an SOA record and NS records, the intent being to delegate it to
>someone else?
>
>Or is this something that must be done from the parent
>("arizona.edu")?
>
Must be done from the parent zone. If you try to "redelegate" like this,
anyone asking the 150.135.84.2 nameserver about a name under the zone
apex will presumably get an NXDOMAIN response (since the authoritative
server has no records owned by the name), and believe it. Even if you
were to somehow hack the 150.135.84.2 to give a referral instead of an
NXDOMAIN, it would be a "sideways" (= bogus) referral, and any decent
resolver implementation will ignore it (and probably mark the source as
"lame" to boot!). "Redelegation" simply doesn't work.
The hierarchical structure of the DNS namespace is more than just a
convention; it's integral to the whole DNS-resolution algorithm.
- Kevin
More information about the bind-users
mailing list