Chained NS delegation: RFC compliant or not?

Mark Andrews Mark_Andrews at isc.org
Tue Oct 26 22:13:46 UTC 2004 

> Andreas Meile wrote:
> 
> >Dear BIND users
> >
> >Recently, I would visit a web site hosted by a German company. The problem:
> >I can't visit it because I get a lot of
> >
> >Oct 10 22:28:47 pingu named[153]: Lame server on 'ns1.foobar.de' (in
> >'foobar.de'?): [192.36.144.211].53 'H.NIC.de'
> >Oct 10 22:28:48 pingu named[153]: Lame server on 'ns1.foobar.de' (in
> >'foobar.de'?): [210.81.13.179].53 'K.NIC.de'
> >Oct 10 22:28:48 pingu named[153]: Lame server on 'ns1.foobar.de' (in
> >'foobar.de'?): [81.91.161.5].53 'A.NIC.de'
> >Oct 10 22:28:48 pingu named[153]: Lame server on 'ns1.foobar.de' (in
> >'foobar.de'?): [193.0.0.237].53 'F.NIC.de'
> >
> >in my local name server which runs as BIND named. The analysation shows the
> >following situation:
> >
> >pingu:~ # host -t ns site-i-want-visit.de
> >site-i-want-visit.de name server ns2.foobar.de
> >site-i-want-visit.de name server ns1.foobar.de
> >pingu:~ # host -t ns foobar.de
> >foobar.de name server ns3.delegated-again.net
> >foobar.de name server ns.delegated-again.net
> >foobar.de name server ns2.delegated-again.net
> >pingu:~ # _
> >
> >i.e. this webhoster ISP implemented a chained delegation. At my knowledge,
> >this violates RFC 1912, section 2.8. Could anyone agree or disagree that?
> >
> RFC 1912 is an informational RFC, so there's no such thing as 
> "violation". I think "chained delegation" is bad terminology also, since 
> it implies a "delegation to a delegation", which is not the case here. 
> There's absolutely nothing wrong with having a domain delegated to 
> nameservers in one TLD (e.g. .de), where the names of the nameservers 
> themselves are in some other TLD (e.g. .net). In fact, this is a 
> necessity, unless every TLD is going to be self-contained (would you 
> want to have to put the names of your reverse-zone nameservers under the 
> .arpa TLD?).
> 
> It sounds like you want to make some sort of big lawyerly deal out of 
> this situation, but really it's just a simple case of lame delegation, 
> and should be treated as such.
> 
>                                                                          
>                                                       - Kevin

	Well having nameservers not officially serve the zone they
	live in causes problems for older BIND 8 caching servers
	and BIND 4 caching servers (not that anyone should be running
	either of these anymore).  It also introduces more work for
	every other caching server.

	By officially serve I mean if the servers name is ns1.example.net
	it is listed as a nameserver for example.net.  This ensures
	that caches don't have to go chasing all over the net to
	find a zone that has added glue to the parent zone.  You
	can't avoid having to add glue though people seem to want
	to try hard.

	Note this is unrelated to the "Lame server" log messages.

	The OP should post real names if he want more help.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list