In message <cb84b51a.4a53a%dan.mcdon...@austinenergy.com>, Daniel McDonald writ es: > > On 3/13/12 8:20 AM, "hugo hugoo" <hugo...@hotmail.com> wrote: > > > ==> do I have to create in zone "toto.be" the following NS record: > > > > titi.toto.be. TTL IN NS ns1.xxx.be > > > > > > I have found cases where this situation is present and other when it is not > > present...and both cases seems to work. > > What is the difference? > > The glue records aren't necessary when both the zone and subzone are on the > same server, although it is good to have them for completeness. When the > zones are on different servers you need the glue records.
No, they *are* necessary. Just because their lack does not cause a resolution failure in all cases it doesn't mean they are not necessary. If the parent zone is signed but the child zone is unsigned then the lack of NS records *will* cause validation failures unless OPTOUT is in use even when both zones are only served by a common set of servers. DNSSEC catches out lots of bad practices that mostly pass unnoticed with plain DNS. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
