Ondřej Surý <[email protected]> wrote:
> nameservers for the child domain. The NS records in the child domain
> will be treated as normal DNS records and returned
> as authoritative data, but they will no longer overwrite the delegation
> data for the domain. If you want to delve into the technical
> details and reasoning behind the change, you are most welcome to read
> the Internet Draft I've submitted to IETF and possibly
> also express interest in the draft in the dnsop wg:
On 08.04.26 13:07, Michael Richardson wrote:
So, I think this affects only people who have a parent and a child loaded into
an
authoritative server... and who have not synchronized them.
I wouldn't be so sure.
Currently, when your delegation provides NS for multiple servers, only one
of them needs to be working and when your zone has proper NS records, BIND
remembers the NS records in the zone and queries them.
Otoh, when the delegation is correct, but the zone itself has incorrect
records, current BIND tries to contact NS records from the zone until they
expire.
After the change, BIND can slow down resolution when the delegation is
incorrect, e.g. the real servers moved, the zone itself was updated, but the
delegation wasn't.
When the delegation is correct but NS records in zone are invalid, BIND will
now follow the delegation, which looks as good thing.
I have encountered both cases, but clients misconfiguring delegated zones
seems to be more common and problematic.
I am not sure how DNSSEC affects this, I guess not at all.
That could easily happen if one has a secondary name server that loads zones
from different origins. Come to think of it my secondary loads reverse zones
in that exact way... So many it affects many ISPs.
I was thinking finding/fixing this would be easy for those who just have a
directory of files, but the secondary and inline DNSSEC signer situations
probably make it more prevalent.
Are there any warnings that can be enabled?
I think, one wouldn't want this on by default.
checking and monitoring is still good idea, but so far it looks to me that
the change is towards better.
--
Matus UHLAR - fantomas, [email protected] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
