On 03. 01. 26 9:17, Ondřej Surý wrote:
So, what you created here is a maze of NS records that has
circular dependencies on each other where only ispeg.eu domain
has GLUE records as can provide a break out of the loop.
Just compare the transitive trust for lf.net (that's quite simple and
straightforward)
and the nepustil.* domains where pointing nepustil.* to ns*.nepustil.* makes
absolutely no sense as this just creates more loops.
For example the resolution of nepustil.net have these paths:
nepustil.net -> nepustil.de -> nepustil.net -> ENDLESS LOOP
nepustil.net -> nepustil.de -> nepustil.com -> nepustil.de -> ENDLESS LOOP
nepustil.net -> nepustil.de -> nepustil.com -> nepustil.net -> ENDLESS LOOP
nepustil.net -> nepustil.de -> nepustil.net -> ispeg.eu -> GLUE OK
nepustil.net -> nepustil.eu -> nepustil.net -> ENDLESS LOOP
nepustil.net -> nepustil.eu -> nepustil.de -> nepustil.com -> nepustil.de ->
ENDLESS LOOP
nepustil.net -> nepustil.eu -> nepustil.de -> nepustil.com -> nepustil.net ->
ENDLESS LOOP
nepustil.net -> nepustil.eu -> nepustil.de -> nepustil.net -> ispeg.eu -> GLUE
OK
nepustil.net -> ispeg.eu -> GLUE OK
As you can see, there are 6 paths that can be taken to resolve the nameserver
that are
completely useless and just adds more work to the resolver prolonging the time
and work
that it takes to resolve the domain.
To simplify, the most robust setup is to use something like
nepustil.de. NS ns1.nepustil.de.
ns1.nepustil.de. A ... ; glue in DE TLD
ns1.nepustil.de. AAAA ... ; glue in DE TLD
and be done with it.
If the DE TLD is down nobody will be able to get NS records anyway, so
adding glue there actually _removes_ dependency on other parts of the
system, including attack surface created by using multiple registries.
I hope this helps.
--
Petr Špaček
Internet Systems Consortium
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
