Dnssec delegation NS RRset

Havard Eidnes he at uninett.no
Sat Mar 27 12:15:11 UTC 2021


> I am getting the following warning:
> 
> The following NS name(s) were found in the authoritative NS
> RRset, but not in the delegation NS RRset (i.e., in the com
> zone): (a DNS server)

This sounds like there is a mismatch between the NS RRset for the
zone on the authoritative NSes for the zone and the delegation NS
RRset from the parent zone.  For a proper setup, these two NS
RRsets needs to be identical, and it's the zone owner's duty to
ensure that is the case.  Updating the NS RRset in the parent is
often done using other means than the DNS protocol itself.

> Missing glue records?

Maybe I'm splitting hairs here...

https://tools.ietf.org/html/rfc8499

says about "glue records":
      A later definition is that glue "includes any record in a zone
      file that is not properly part of that zone, including nameserver
      records of delegated sub-zones (NS records), address records that
      accompany those NS records (A, AAAA, etc), and any other stray
      data that might appear."  (Quoted from [RFC2181], Section 5.4.1)

So... According to that wider definition of "glue records", yes,
there may be missing NS records in the delegation NS RRset in the
delegating zone.

If you use the more narrow definition of "glue records", that it
only consists of address records for the names corresponding to
the NS records in delegations, I would say "probably not".

Regards,

- Håvard


More information about the bind-users mailing list