Dnssec delegation NS RRset
Havard Eidnes
he at uninett.no
Sat Mar 27 12:15:11 UTC 2021
> I am getting the following warning:
>
> The following NS name(s) were found in the authoritative NS
> RRset, but not in the delegation NS RRset (i.e., in the com
> zone): (a DNS server)
This sounds like there is a mismatch between the NS RRset for the
zone on the authoritative NSes for the zone and the delegation NS
RRset from the parent zone. For a proper setup, these two NS
RRsets needs to be identical, and it's the zone owner's duty to
ensure that is the case. Updating the NS RRset in the parent is
often done using other means than the DNS protocol itself.
> Missing glue records?
Maybe I'm splitting hairs here...
https://tools.ietf.org/html/rfc8499
says about "glue records":
A later definition is that glue "includes any record in a zone
file that is not properly part of that zone, including nameserver
records of delegated sub-zones (NS records), address records that
accompany those NS records (A, AAAA, etc), and any other stray
data that might appear." (Quoted from [RFC2181], Section 5.4.1)
So... According to that wider definition of "glue records", yes,
there may be missing NS records in the delegation NS RRset in the
delegating zone.
If you use the more narrow definition of "glue records", that it
only consists of address records for the names corresponding to
the NS records in delegations, I would say "probably not".
Regards,
- Håvard
More information about the bind-users
mailing list