do I have this wrong?

[Chris Buxton]

On May 29, 2009, at 11:47 AM, Maria Iano wrote:
> If I should not be sending this to this list please let me know.  
> Please let me know if you think I have this wrong:
>
> Bare Minimum to be considered a usable DNS server (under limited  
> conditions):
>
> When a zone is configured locally as a master or slave zone, only  
> hand out data from the local configuration. Do not accept records in  
> that zone into the cache that come from another server. Never hand  
> out data in that zone received from another server.
>
> Desired Behavior to be considered a good working DNS server:
>
> In addition to the above:
>
> When a zone is configured locally as a stub zone, only accept into  
> cache records in that zone from the zone's name servers as  
> configured in the stub zone. Never hand out data from that zone  
> unless it was received from one of the zone's name servers.
>
> When a zone is configured locally as a forward zone, only accept  
> records in that zone into the cache that come from the servers to  
> which the zone was specified to be forwarded. Never hand out data  
> from that zone unless it was received from one of the forwarders.


That doesn't sound too far off the mark to me, except for the bit  
about stub zones. The server needs to be able to follow referrals out  
of that zone, to subzones.

Remember that stub zones and forward zones actually affect the  
resolver's behavior for domains, not just zones. (A domain = a zone +  
all delegated subdomains.)

The rules you present are (a) a rule about preferring authoritative  
data to cached data, and (b) two rules that form part of the basic  
credibility tests of a resolving name server. More complete and formal  
versions of the rules for these situations exist in the RFC's.

Chris Buxton
Professional Services
Men & Mice