glue records in child zone

Valentin Nechayev netchv at gmail.com
Thu Oct 23 17:47:52 UTC 2008 

> I'll start by saying there may be some nuance of the RFC that I'm not 
> grasping, and I'm sure Mark or someone will pipe up if I get this wrong...  
> that said...
> 
> I belive your problem is that, once you have a zone cut in place (a 
> delegation to a subzone) then the parent zone is no longer authoritative 
> for anything below that cut.  In your example, the parent zone 
> (example.org) delegates authority for hq.example.org, and so it is not 
> authoritative for anything at or below that domain.. which means that it 
> can't give an authoritative answer for ns1.hq.example.org.

Yes, this is exactly what I suppose as problem source. BTW, setting
"noaaonly" as query flag doesn't change the response for 9.4.2 - it still
responds with empty additional section.

I missed to tell there is real example of such situation working in world DNS:

;; ANSWER SECTION:
net.                    71243   IN      NS      g.gtld-servers.net.
net.                    71243   IN      NS      h.gtld-servers.net.
net.                    71243   IN      NS      i.gtld-servers.net.
[...]
;; ADDITIONAL SECTION:
a.gtld-servers.net.     70962   IN      A       192.5.6.30
a.gtld-servers.net.     70962   IN      AAAA    2001:503:a83e::2:30
b.gtld-servers.net.     70962   IN      A       192.33.14.30
b.gtld-servers.net.     70962   IN      AAAA    2001:503:231d::2:30
c.gtld-servers.net.     70962   IN      A       192.26.92.30

At the same time, gtld-servers.net. is child zone of net.:

;; ANSWER SECTION:
gtld-servers.net.       70913   IN      NS      h2.nstld.com.
gtld-servers.net.       70913   IN      NS      l2.nstld.com.
gtld-servers.net.       70913   IN      NS      a2.nstld.com.
[...]

Some root servers (e.g. f.root-servers.net, c.root-servers.net) has
the same version as mine (9.4.2) and still respond with full list of
glue records. So, it is possible for these versions, isn't it?

> It can provide glue for ns.hq.example.org because that is necessary for the 
> delegation to work, but that glue is actually passed as non-authoritative 
> data.
> 
> If you really want to use a host in the subzone as the name server for the 
> parent zone, then you should remove the ns1.hq.example.org host from the 
> example.org zone.  I don't recommend this, however.. even if it's 
> technically permissible, it seems likely this could cause some problems 
> higher up the delegation chain.  My recommendation would be to make sure 
> that the authoritative servers for the example.com zone are within that 
> zone, not within some subzone.

This is already planned, but there are administrative problems with such
delegation and I'm investigating how we can postpone this change.


-netch-

More information about the bind-users mailing list