Delegations

Mark Andrews marka at isc.org
Wed Oct 31 22:56:42 UTC 2012


In message <5091A8BC.70104 at dougbarton.us>, Doug Barton writes:
> On 10/31/2012 03:22 PM, Chris Thompson wrote:
> > On Oct 31 2012, Kevin Darcy wrote:
> > 
> > [...snip...]
> >> I know of at least 2 commerically-available DNS maintenance systems
> >> that, by default, do not allow what they call "dotted hostnames", by
> >> which they mean a name which is at least 2 labels below a zone cut, e.g.
> >> "foo.bar" in the "example.com" zone. Their underlying assumption seems
> >> to be that *every* level of the hierarchy will, in the
> >> usual/typical/default case, be delegated.
> >>
> >> I don't agree with this assumption in the slightest, but some people are
> >> afraid of changing default behaviors...
> > 
> > What "default behavior"? The default behavior of (seriously) defective
> > DNS maintenance systems? (You wouldn't like to name-and-shame, I suppose?)
> > 
> > The end-point of that sort of logic is that, for example, the SRV record
> > for _someservice._tcp.somename.example.com has to have separate zones
> > for somename.example.com and _tcp.somename.example.com, probably
> > containing nothing but the names mentioned.  I've seen people actually
> > do this, and it's painful to watch.
> 
> Chris, I specifically asked the OP if they wanted a zone cut at the
> higher level, or if they were just looking for multi-dot names. So this
> particular argumentum ad absurdum is particularly inappropriate.
> 
> We used to say that you didn't need to do a delegation if the subzone
> was going to be hosted on the same auth. name server either, and then
> along came DNSSEC and lots of people with systems that weren't breaking
> any rules are suddenly dealing with strange error messages.

Adding a child zone without adding the delegating NS records was
always a bad idea.  Such "instruction" also usually contained the
caveat "this is technically wrong and will cause issues if you ever
have machines that do not host both zones but you can get away with
it."

Nameserver also used to merge zone contents so that AXFR included
the NS records from the child zone.

> So sure, the OP could probably "get away with it" even without doing a
> zone cut at the middle level. But I stand by my assertion that for
> maximum future-proofing they're safer with it than without. Doing the
> zone cut costs them almost nothing now, and may save time/effort/energy
> down the road.

You are equating a practice that was techically wrong, and known
to be wrong from the get go, with one that has never been techically
wrong.

> Doug
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the bind-users mailing list