DNSSEC and child zones on same authoritative NS. Expert help needed.

Tue Mar 16 15:58:22 UTC 2010

In article <mailman.814.1268703621.21153.bind-users at lists.isc.org>,
 Gary Wallis <wgg1970 at gmail.com> wrote:

> Let's say I have this setup :
> 
> BIND 9.4 named.conf includes a master.zones file with the following:
> 
> ...
>          zone "ns1.yourdomain.com" {
>                  type master;
>                  file "master/external/n/ns1.yourdomain.com.signed";
>          };
> 
>          zone "ns2.yourdomain.com" {
>                  type master;
>                  file "master/external/n/ns2.yourdomain.com.signed";
>          };
> 
>          zone "yourdomain.com" {
>                  type master;
>                  file "master/external/y/yourdomain.com.signed";
>          };
> ...
> 
> More background for question below:
> 
> The yourdomain.com is I gather the zone APEX for all featured zones 
> above. (Is this the correct use of the term APEX?)

"Parent", as Mark has already pointed out.

> I am learning via trial and error about transitioning from DNS to DNSSEC 
> and we have these child zones (is ns1.yourdomain.com really a child 
> zone, as regards the setup above?) that currently have precedence over 
> the parent zone yourdomain.com for conflicting A records. For example:
> 
> If
> 
> ns1 A 123.123.123.123
> 
> is placed in yourdomain.com zone.

Some nitpicking - I'm not a DNSSEC expert and I'm not commenting on that 
part of your question.  Including this record would normally be an 
error.  ns1.yourdomain.com is delegated into its own zone and the A 
record should be in that zone, not in the parent zone.[1]

> And a similar RR is placed in ns1.yourdomain.com zone, like:
> 
> ns1 IN A 10.0.0.1

If you place ns1 in the zone ns1.yourdomain.com then the name will be 
ns1.ns1.yourdomain.com.  If you force the name to be ns1.yourdomain.com 
[2] then that A record should override the one in the parent zone (see 
[1] again).

> And named reloaded.
> 
> dig @localhost ns1.yourdomain.com A +short
> 
> will return 10.0.0.1, the parent A RR is ignored.

Correct - see above

Can't answer your DNSSEC queries, but I'm not sure if they're relevant 
if you correct the above.

Sam

[1] UNLESS ns1.yourdomain.com is also the name of one of the nameservers 
for a child zone in which case that record would be a glue record which 
would be valid in the parent zone.  It would normally be superseded by 
the corresponding A record in the child zone which is regarded as a more 
trustworthy source of data. There are various ways by which a server for 
the parent zone can learn the correct data from the child zone.

[2] You can do that by using the @ sign in the LHS of the A RR, or by 
using a fully qualified name (inflexible), or by using the $ORIGIN 
directive,  or by leaving the name blank at the head of the zone 
(slightly risky).  Of these @ is the one mostly recommended.