A problem with inappropriate records on a Zone Cut in 8.1.2

Ted_Rule at flextech.co.uk Ted_Rule at flextech.co.uk
Mon Sep 27 12:17:46 UTC 1999



We have recently taken on an eval copy of a Load Balancing DNS Server which has
highlighted a small 'bug/feature' in bind-8.1.2.

As it stands, we have no working 8.2 server, so I am unable to confirm whether
this problem
exists in 8.2 or above - a quick scan of CHANGES revealed nothing that seemed to
fit the bill,but it may well have already been cured.

The LB DNS server can be used to set an RRset of A records for a given host
domain,
but it doesn't actually return NS records when queried, nor can one configure MX
records
for the virtual host. The manufacturer's configuration details how to add the NS
glue into the
parent domain, as one would expect. However, our first response from the support
desk to
the allocation of an MX record set for the Virtual Host was to include a MX
record for the host
in the zone file on the parent .....

Nay, I cried, that'll never work, surely?

When we actually tested the suggestion, we found that bind-8.1.2 did indeed
allow one to
add non-NS records at the zone cut in the parent domain master file, but these
did not appear in any
zone transfer from the server for the parent domain - as one would expect.

However, the MX records we added did show up in a "dig any" or "dig mx" of the
name server, along with
the NS delegation records for the virtual host domain.

The consquence of this is that the parent zone master sees a different MX rrset
to all the parent zone
slaves - which cannot retrieve the bogus MX rrset from the master via a zone
transfer.

I looked in vain for anything in the syslog indicating bind's unhappiness about
this wierd configuration.


I fully realise that adding MX records at the zone cut is highly dubious, but it
seems that bind-8.1.2 is behaving
wrongly in 2 ways:

a)   There is apparently no indication in the syslog that the server is at all
unhappy about the non-NS records on the
zone cut.

b)   The server accepts the non-NS records at the zone cut into it's database,
and allows them to
appear in responses to queries for records at the zone cut.


I suppose a fix to a) would start to highlight the problem to anyone who
misconfigured their server in this way.
A fix to b) is probably considerably more complicated! - especially given that
DNSSEC quite legitimately adds
more than just NS records at the zone cut.



Ted Rule,
Flextech Television


*****************************************************************
This E-mail message, (including any attachments), is intended
only for the person or entity to which it is addressed,
and may contain confidential information.

If you are not the intended recipient, any review, retransmission,
disclosure, copying, modification or other use of this E-mail message
or attachments is strictly forbidden.

If you have received this E-mail message in error, please contact the
author and delete the message and any attachments from your computer.

You are also advised that the views and opinions expressed in this E-mail
message and any attachments are the author's own, and may not reflect the
views and opinions of FLEXTECH Television.
*****************************************************************



More information about the bind-workers mailing list