zone before delegation?
kcd at chrysler.com
Fri Oct 28 19:50:21 UTC 2011
On 10/28/2011 12:48 PM, Laws, Peter C. wrote:
> It seems like there are two ways I could delegate a zone.
> I could, in the zone file for the parent, simply list the name of the zone
> and a number of NS records to which the zone has been delegated.
> Or, I could create a zone statement within named.conf that points to a file
> that contains an SOA and a number of NS records to which the zone has been
In and of itself, that's not "delegation".
> Which is better and which should I prefer?
> Ideally, I'd like to make the zone first with the NSes pointed to the same
> server plus various and sundry other As and CNAMEs, but need help on this
> point before I do anything.
> BTW, this is on RHEL's BIND9 and no, the master has yet to have the RHEL
> bind97 RPMs installed, and yes, I am a bad admin for not doing that.
No, there aren't 2 ways of "delegating" a zone. You should think of this
as 2 separate functions: "hosting" a zone, versus "delegating" the zone.
You can host a zone that's not delegated, but then it's not connected to
the overall namespace tree, so resolvers won't be able to find it
through the normal algorithm for following delegation chains. In order
for anyone to resolve anything from the zone, they'd have to have
specific knowledge of where the zone is hosted (or talk to something
that has that explicit knowledge, or with even more levels of
indirection, e.g. zones of type "forward" or "stub", but ultimately some
zone-specific explicit configuration is necessary).
On the other hand, you can delegate a zone and **not* *host it. This is
done all the time (think gTLD or ccTLD servers delegating zones to
domain registrants rather than hosting it themselves).
It's kind of like the difference between having a phone line installed
and publishing the number in the phone book. Some people have unlisted
phone numbers (analogous to undelegated zones), and then only their
friends, relatives, etc. will use it (maybe the occasional robo-caller).
Or, you can publish your phone number in the phone book, so anyone
generally can call you if they need to.
Undelegated zones tend to be rather rare, since really the whole point
of having a hierarchical namespace is so that the relevant information
can be found using a relatively-simple search-within-hierarchy
algorithm. Also, as others have pointed out, DNSSEC assumes normal
delegation chains, so undelegated zones miss out there too.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bind-users