Cathy Almond cathya at
Wed Mar 14 09:36:26 UTC 2012

On 13/03/12 20:46, Mark Andrews wrote:
> In message <CB84B51A.4A53A%dan.mcdonald at>, Daniel McDonald writ
> es:
>> On 3/13/12 8:20 AM, "hugo hugoo" <hugobxl at> wrote:
>>> ==> do I have to create in zone "" the following NS record:
>>>           TTL   IN   NS
>>> I have found cases where this situation is present and other when it is not
>>> present...and both cases seems to work.
>>> What is the difference?
>> The glue records aren't necessary when both the zone and subzone are on the
>> same server, although it is good to have them for completeness.  When the
>> zones are on different servers you need the glue records.
> No, they *are* necessary.  Just because their lack does not cause
> a resolution failure in all cases it doesn't mean they are not
> necessary.
> If the parent zone is signed but the child zone is unsigned then
> the lack of NS records *will* cause validation failures unless
> OPTOUT is in use even when both zones are only served by a common
> set of servers.
> DNSSEC catches out lots of bad practices that mostly pass unnoticed
> with plain DNS.
> Mark

I would recommend doing it properly including adding glue records (glue
is the A records associated with the NS records for the delegated child
zone - but only if those NS records point to names actually in the
delegated zone).

If you don't do it properly, and then in say 12 months time, someone
else starts slaving the parent zone to another server that doesn't also
slave the child zone, things are going to break...

More information about the bind-users mailing list