<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
On 10/28/2011 12:48 PM, Laws, Peter C. wrote:
<blockquote
cite="mid:BB3410CB869057479D53C8F5D69EBA854B90CD7E@it-kodiak.sooner.net.ou.edu"
type="cite">
<pre wrap="">It seems like there are two ways I could delegate a zone.
I could, in the zone file for the parent, simply list the name of the zone
and a number of NS records to which the zone has been delegated.
Or, I could create a zone statement within named.conf that points to a file
that contains an SOA and a number of NS records to which the zone has been
delegated.
</pre>
</blockquote>
In and of itself, that's not "delegation".<br>
<blockquote
cite="mid:BB3410CB869057479D53C8F5D69EBA854B90CD7E@it-kodiak.sooner.net.ou.edu"
type="cite">
<pre wrap="">
Which is better and which should I prefer?
Ideally, I'd like to make the zone first with the NSes pointed to the same
server plus various and sundry other As and CNAMEs, but need help on this
point before I do anything.
BTW, this is on RHEL's BIND9 and no, the master has yet to have the RHEL
bind97 RPMs installed, and yes, I am a bad admin for not doing that.
</pre>
</blockquote>
No, there aren't 2 ways of "delegating" a zone. You should think of
this as 2 separate functions: "hosting" a zone, versus "delegating"
the zone.<br>
<br>
You can host a zone that's not delegated, but then it's not
connected to the overall namespace tree, so resolvers won't be able
to find it through the normal algorithm for following delegation
chains. In order for anyone to resolve anything from the zone,
they'd have to have specific knowledge of where the zone is hosted
(or talk to something that has that explicit knowledge, or with even
more levels of indirection, e.g. zones of type "forward" or "stub",
but ultimately some zone-specific explicit configuration is
necessary).<br>
<br>
On the other hand, you can delegate a zone and <b>*not* </b>host
it. This is done all the time (think gTLD or ccTLD servers
delegating zones to domain registrants rather than hosting it
themselves).<br>
<br>
It's kind of like the difference between having a phone line
installed and publishing the number in the phone book. Some people
have unlisted phone numbers (analogous to undelegated zones), and
then only their friends, relatives, etc. will use it (maybe the
occasional robo-caller). Or, you can publish your phone number in
the phone book, so anyone generally can call you if they need to.<br>
<br>
Undelegated zones tend to be rather rare, since really the whole
point of having a hierarchical namespace is so that the relevant
information can be found using a relatively-simple
search-within-hierarchy algorithm. Also, as others have pointed out,
DNSSEC assumes normal delegation chains, so undelegated zones miss
out there too.<br>
<br>
- Kevin<br>
</body>
</html>