Cannot Delete Glue record

Kevin Darcy kcd at chrysler.com
Wed May 13 16:59:32 UTC 2009 

Luke Hopkins wrote:
> I have a glue (nameserver host) record which hasn't been used in years and I want to delete it (and ultimately re-use the name). Attempting a delete through UKreg (Fasthosts) gives me this:
>
> Error: NameServerHosts Delete (Nameserver deletion failed at registry: 420 Object association prohibits operation.)
>
> I cannot find any way to check what domains are attached to it, and UKreg support are unable to help (check manually was their answer).
>
> We don't have that many domains, so I've checked them all manually, both the zone files and what the registrar has listed as authoritive, but this glue record isn't used by us.
>
> Is there a way/tool which can check what domains are attached to a glue record.
>
> For reference, the name is ns0.broadbean.net
>
>   
They should be able to look into the registry database to find this.

It might be very difficult for you, as a customer, to ascertain, outside 
of the DNS protocol itself, what domain(s) might be delegated to that 
name. If your registry is lax about checking such things, it's 
conceivable that someone has delegated their domain(s) to your 
nameserver without your consent, in order to meet a 2-nameserver 
delegation requirement, while only actually having a single 
authoritative nameserver hosting the zone. In that scenario, if you have 
everything in a single "view", and open access to the cache, and with 
open recursion (or one of your "trusted" recursive clients went rogue), 
they might even be able to "poke" your nameserver periodically, in order 
to populate your cache with desired records, and thus leech off your 
resolution services. That's another reason why it's recommended to 
either a) strictly limit access to your cache (later versions of BIND do 
this more conveniently and by default), or b) have separate views for 
recursive and non-recursive (hosting) service.

But I digress...

One investigative approach would be to point that name at a valid 
address in your Internet-facing range, and record -- by using a sniffer, 
or bringing up a minimal nameserver and turning on query logging -- what 
queries you're getting, and for what zones.

- Kevin

More information about the bind-users mailing list