This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
clueing in TLD registries for delegations to non-BIND servers
- Previous message (by thread): clueing in TLD registries for delegations to non-BIND servers
- Next message (by thread): clueing in TLD registries for delegations to non-BIND servers
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Stefan Paletta
stefanp at cabal1.com
Sun Feb 9 22:56:27 CET 2003
[please do not explicitly send copies of followups to me]
Brad Knowles wrote/schrieb/scripsit:
> In which case, it is impossible to configure nsd to "do the right
> thing", even if this feature wasn't turned on by default. If you
> don't configure the root zone, then you get SERVFAIL instead. If you
> do, then you get bogus information. We need a third way, one that
> gives us the right answer.
There is no One True Lame Delegation Answer. Servers have always re-
sponded differently when a delegation was lame. For example, suppose
I had configured the cabal1.net nameservers like:
$ORIGIN cabal1.net.
; SOA yadda yadaa
foobar NS k
k A 193.0.14.129
; address of k.root-servers.net
Then, when a client had learned that k.cabal1.net at address 193.0.14.129
was supposed to know about foobar.cabal1.net, this nameserver, when asked
for the address of foobar.cabal1.net, would respond with an authoritative
referral to the net servers. The client would notice that this was a lame
delegation and then throw away the information received, because it would
be vulnerable to poisoning otherwise.
Similarly, BIND servers usually have a root.cache file, even when they
are not acting as recursive resolvers. As a consequence, under certain
circumstances, all they could do when asked for information they did
not have was to return their knowledge of the root servers. They would
do this non-authoritatively because the root.cache information is not
their authoritative knowledge. No matter if this is even an authorita-
tive answer (i.e. the server had a local root zone configured) or not,
the client will notice that the delegation is lame and then throw away
the (possibly bogus) information.
So, there is absolutely nothing magic about returning a referral to the
roots. Many possible -- and correct -- responses to a lame delegation
exist and one of them is to simply return SERVFAIL for lack of better
knowledge.
-Stefan
--
junior guru SP666-RIPE SMP@{IRC,SILC}
- Previous message (by thread): clueing in TLD registries for delegations to non-BIND servers
- Next message (by thread): clueing in TLD registries for delegations to non-BIND servers
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]