Wrong names for NS and glue records not in the child zone

Laurent Bauer l.bauer at mailclub.fr
Mon Dec 20 10:05:26 UTC 2010


We (my company) are registrar for a domain name which is delegated to
our client NS. Our client wanted to change the NS records (just the
names, same IP addresses) but the registry put the wrong names and
created glue records instead.
Obviously the glue records are not present in the child zone, and the NS
names do not match either, as this is not what the client had configured.

The registry NS return an authority section like :
  domain.tld.	IN	NS	ns1.domain.tld.
  domain.tld.	IN	NS	ns2.domain.tld.
and an additional section with these glue records.

The delegation should be :
  domain.tld.	IN	NS	ns1.domain.com.
  domain.tld.	IN	NS	ns2.domain.com.
which are also glue records, by the way, but domain.com. resolution is OK.

Anyway, my cache NS (bind 9.7.1-P2) still resolves A records for
www.domain.tld. I flushed the cache before.
Does it mean that bind ignores the authoritative answer for glue records
and the NS records ? Is it just because the IP addresses are the same,
or some kind of tolerance to this kind of configuration error ? Could
this be an implementation-dependant behaviour ?

A "dig +trace" query fails with "connection timed out; no servers could
be reached" when trying to query the authoritative NS for domain.tld.
While I might find this is the right behaviour that dig only follows
authoritative NS, is it not supposed to connect to ns1.domain.tld. and
then return NXDOMAIN for ns1.domain.tld. ?

My main problem is that the registry tells us there is no problem, as
the resolution is still OK for www records.
I would like to explain this, and have other arguments than "the client
does not want that" or "this will stop resolving the moment the glue
records change for ns1.domain.com."

Thanks in advance for any answer to my questions.


More information about the bind-users mailing list