resolver change between 9.20.16 and 9.20.17
Petr Špaček
pspacek at isc.org
Mon Jan 5 08:58:53 UTC 2026
On 03. 01. 26 9:17, Ondřej Surý wrote:
> So, what you created here is a maze of NS records that has
> circular dependencies on each other where only ispeg.eu domain
> has GLUE records as can provide a break out of the loop.
>
> Just compare the transitive trust for lf.net (that's quite simple and straightforward)
> and the nepustil.* domains where pointing nepustil.* to ns*.nepustil.* makes
> absolutely no sense as this just creates more loops.
>
> For example the resolution of nepustil.net have these paths:
>
> nepustil.net -> nepustil.de -> nepustil.net -> ENDLESS LOOP
> nepustil.net -> nepustil.de -> nepustil.com -> nepustil.de -> ENDLESS LOOP
> nepustil.net -> nepustil.de -> nepustil.com -> nepustil.net -> ENDLESS LOOP
> nepustil.net -> nepustil.de -> nepustil.net -> ispeg.eu -> GLUE OK
> nepustil.net -> nepustil.eu -> nepustil.net -> ENDLESS LOOP
> nepustil.net -> nepustil.eu -> nepustil.de -> nepustil.com -> nepustil.de -> ENDLESS LOOP
> nepustil.net -> nepustil.eu -> nepustil.de -> nepustil.com -> nepustil.net -> ENDLESS LOOP
> nepustil.net -> nepustil.eu -> nepustil.de -> nepustil.net -> ispeg.eu -> GLUE OK
> nepustil.net -> ispeg.eu -> GLUE OK
>
> As you can see, there are 6 paths that can be taken to resolve the nameserver that are
> completely useless and just adds more work to the resolver prolonging the time and work
> that it takes to resolve the domain.
To simplify, the most robust setup is to use something like
nepustil.de. NS ns1.nepustil.de.
ns1.nepustil.de. A ... ; glue in DE TLD
ns1.nepustil.de. AAAA ... ; glue in DE TLD
and be done with it.
If the DE TLD is down nobody will be able to get NS records anyway, so
adding glue there actually _removes_ dependency on other parts of the
system, including attack surface created by using multiple registries.
I hope this helps.
--
Petr Špaček
Internet Systems Consortium
More information about the bind-users
mailing list