BIND 9.21+/9.22: parent-centric delegations and no TTL-based cleaning

Matus UHLAR - fantomas uhlar at fantomas.sk
Fri Apr 17 11:52:54 UTC 2026 

>Ondřej Surý <ondrej at isc.org> wrote:
>    > nameservers for the child domain. The NS records in the child domain
>    > will be treated as normal DNS records and returned
>    > as authoritative data, but they will no longer overwrite the delegation
>    > data for the domain. If you want to delve into the technical
>    > details and reasoning behind the change, you are most welcome to read
>    > the Internet Draft I've submitted to IETF and possibly
>    > also express interest in the draft in the dnsop wg:

On 08.04.26 13:07, Michael Richardson wrote:
>So, I think this affects only people who have a parent and a child loaded into an
>authoritative server... and who have not synchronized them.

I wouldn't be so sure.

Currently, when your delegation provides NS for multiple servers, only one 
of them needs to be working and when your zone has proper NS records, BIND 
remembers the NS records in the zone and queries them.

Otoh, when the delegation is correct, but the zone itself has incorrect 
records, current BIND tries to contact NS records from the zone until they 
expire.

After the change, BIND can slow down resolution when the delegation is 
incorrect, e.g. the real servers moved, the zone itself was updated, but the 
delegation wasn't.

When the delegation is correct but NS records in zone are invalid, BIND will 
now follow the delegation, which looks as good thing.

I have encountered both cases, but clients misconfiguring delegated zones 
seems to be more common and problematic.

I am not sure how DNSSEC affects this, I guess not at all.

>That could easily happen if one has a secondary name server that loads zones
>from different origins.  Come to think of it my secondary loads reverse zones
>in that exact way...  So many it affects many ISPs.
>I was thinking finding/fixing this would be easy for those who just have a
>directory of files, but the secondary and inline DNSSEC signer situations
>probably make it more prevalent.
>
>Are there any warnings that can be enabled?
>I think, one wouldn't want this on by default.

checking and monitoring is still good idea, but so far it looks to me that 
the change is towards better. 

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."

More information about the bind-users mailing list