Re: conflicting subdomain delegation

[Matus UHLAR - fantomas]

In article ,
 Frank Liu  wrote:

> Thanks for confirming bind behavior matches what I saw.
> I noticed other resolvers (eg: @8.8.8.8) works differently, c.b.a.com NS
> host2 actually got used, not ignored as occluded data.



On Thu, Nov 15, 2018 at 8:25 AM Barry Margolin  wrote:

That shouldn't be possible. The occluded data should never be given out
by the authoritative server, so the resolver should never see it.

Tell us the actual domains so we can see what's really happening.


On 15.11.18 21:28, Frank Liu wrote:

That's an internal setting can't be exposed.
I created a public test name: test.c.b.jilapps.com
Should you see A record 1.2.3.4 or 5.6.7.8?


test.c.b.jilapps.com.   300 IN  A   1.2.3.4
c.b.jilapps.com.172800  IN  NS  ns-1450.awsdns-53.org.
c.b.jilapps.com.172800  IN  NS  ns-1978.awsdns-55.co.uk.
c.b.jilapps.com.172800  IN  NS  ns-33.awsdns-04.com.
c.b.jilapps.com.172800  IN  NS  ns-540.awsdns-03.net.

servers for c.b.jilapps.com send this, servers for jilapps.com send
referrals to c.b.jilapps.com servers

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Enter any 12-digit prime number to continue.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: conflicting subdomain delegation

[Frank Liu]

That's an internal setting can't be exposed.
I created a public test name: test.c.b.jilapps.com
Should you see A record 1.2.3.4 or 5.6.7.8?

On Thu, Nov 15, 2018 at 8:25 AM Barry Margolin  wrote:

> In article ,
>  Frank Liu  wrote:
>
> > Thanks for confirming bind behavior matches what I saw.
> > I noticed other resolvers (eg: @8.8.8.8) works differently, c.b.a.com NS
> > host2 actually got used, not ignored as occluded data.
>
> That shouldn't be possible. The occluded data should never be given out
> by the authoritative server, so the resolver should never see it.
>
> Tell us the actual domains so we can see what's really happening.
>
> > Is this a bind specific implementation, not required by any RFCs?
> > >From authoritative dns perspective, Amazon Route53 allows you to add
> both
> > delegations in the a.com zone without any "out of zone data" error.
> >
> >
> > On Tue, Nov 13, 2018 at 1:50 PM Mark Andrews  wrote:
> >
> > >
> > > > On 14 Nov 2018, at 4:04 am, Frank Liu  wrote:
> > > >
> > > > Hi,
> > > >
> > > > Is there a RFC determining which nameserver to use if there is a
> > > conflicting subdomain delegation?
> > > >
> > > > eg:
> > > > In the zone of a.com, there are two NS delegations
> > >
> > > This one is used.
> > >
> > > > b.a.com NS host1
> > >
> > > This one is ignored as it is occluded data.
> > >
> > > > c.b.a.com NS host2
> > > >
> > > > On host1 in zone b.a.com, there is
> > > > c.b.a.com NS host3
> > >
> > > Which is occluded data or glue depending upon the rest of the contents
> of
> > > the zone.
> > >
> > > > As you can see, there is a conflicting delegation for c.b.a.com. If
> I
> > > look a name d.c.b.a.com, will the nameserver host2 or host3 be used?
> > > > dig +trace seems to go to host2, but bind9 as a resolver goes to
> host3.
> > > > (the test was done on a centos7).
> > >
> > > dig +trace follows the returned delegations.
> > >
> > > > Any ideas?
> > > > Thanks!
> > > > ___
> > > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> > > unsubscribe from this list
> > > >
> > > > bind-users mailing list
> > > > bind-users@lists.isc.org
> > > > https://lists.isc.org/mailman/listinfo/bind-users
> > >
> > > --
> > > Mark Andrews, ISC
> > > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > > PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org
> > >
> > >
>
> --
> Barry Margolin
> Arlington, MA
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: conflicting subdomain delegation

[Barry Margolin]

In article ,
 Frank Liu  wrote:

> Thanks for confirming bind behavior matches what I saw.
> I noticed other resolvers (eg: @8.8.8.8) works differently, c.b.a.com NS
> host2 actually got used, not ignored as occluded data.

That shouldn't be possible. The occluded data should never be given out 
by the authoritative server, so the resolver should never see it.

Tell us the actual domains so we can see what's really happening.

> Is this a bind specific implementation, not required by any RFCs?
> >From authoritative dns perspective, Amazon Route53 allows you to add both
> delegations in the a.com zone without any "out of zone data" error.
> 
> 
> On Tue, Nov 13, 2018 at 1:50 PM Mark Andrews  wrote:
> 
> >
> > > On 14 Nov 2018, at 4:04 am, Frank Liu  wrote:
> > >
> > > Hi,
> > >
> > > Is there a RFC determining which nameserver to use if there is a
> > conflicting subdomain delegation?
> > >
> > > eg:
> > > In the zone of a.com, there are two NS delegations
> >
> > This one is used.
> >
> > > b.a.com NS host1
> >
> > This one is ignored as it is occluded data.
> >
> > > c.b.a.com NS host2
> > >
> > > On host1 in zone b.a.com, there is
> > > c.b.a.com NS host3
> >
> > Which is occluded data or glue depending upon the rest of the contents of
> > the zone.
> >
> > > As you can see, there is a conflicting delegation for c.b.a.com. If I
> > look a name d.c.b.a.com, will the nameserver host2 or host3 be used?
> > > dig +trace seems to go to host2, but bind9 as a resolver goes to host3.
> > > (the test was done on a centos7).
> >
> > dig +trace follows the returned delegations.
> >
> > > Any ideas?
> > > Thanks!
> > > ___
> > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> > unsubscribe from this list
> > >
> > > bind-users mailing list
> > > bind-users@lists.isc.org
> > > https://lists.isc.org/mailman/listinfo/bind-users
> >
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org
> >
> >

-- 
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: conflicting subdomain delegation

[Frank Liu]

Thanks for confirming bind behavior matches what I saw.
I noticed other resolvers (eg: @8.8.8.8) works differently, c.b.a.com NS
host2 actually got used, not ignored as occluded data.
Is this a bind specific implementation, not required by any RFCs?
>From authoritative dns perspective, Amazon Route53 allows you to add both
delegations in the a.com zone without any "out of zone data" error.


On Tue, Nov 13, 2018 at 1:50 PM Mark Andrews  wrote:

>
> > On 14 Nov 2018, at 4:04 am, Frank Liu  wrote:
> >
> > Hi,
> >
> > Is there a RFC determining which nameserver to use if there is a
> conflicting subdomain delegation?
> >
> > eg:
> > In the zone of a.com, there are two NS delegations
>
> This one is used.
>
> > b.a.com NS host1
>
> This one is ignored as it is occluded data.
>
> > c.b.a.com NS host2
> >
> > On host1 in zone b.a.com, there is
> > c.b.a.com NS host3
>
> Which is occluded data or glue depending upon the rest of the contents of
> the zone.
>
> > As you can see, there is a conflicting delegation for c.b.a.com. If I
> look a name d.c.b.a.com, will the nameserver host2 or host3 be used?
> > dig +trace seems to go to host2, but bind9 as a resolver goes to host3.
> > (the test was done on a centos7).
>
> dig +trace follows the returned delegations.
>
> > Any ideas?
> > Thanks!
> > ___
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: conflicting subdomain delegation

[Mark Andrews]

> On 14 Nov 2018, at 4:04 am, Frank Liu  wrote:
> 
> Hi,
> 
> Is there a RFC determining which nameserver to use if there is a conflicting 
> subdomain delegation?
> 
> eg:
> In the zone of a.com, there are two NS delegations

This one is used.

> b.a.com NS host1

This one is ignored as it is occluded data.

> c.b.a.com NS host2
> 
> On host1 in zone b.a.com, there is
> c.b.a.com NS host3

Which is occluded data or glue depending upon the rest of the contents of the 
zone.

> As you can see, there is a conflicting delegation for c.b.a.com. If I look a 
> name d.c.b.a.com, will the nameserver host2 or host3 be used?
> dig +trace seems to go to host2, but bind9 as a resolver goes to host3.
> (the test was done on a centos7).

dig +trace follows the returned delegations. 

> Any ideas?
> Thanks!
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: conflicting subdomain delegation

[Matus UHLAR - fantomas]

On 13.11.18 09:04, Frank Liu wrote:

Is there a RFC determining which nameserver to use if there is a
conflicting subdomain delegation?

eg:
In the zone of a.com, there are two NS delegations:

b.a.com NS host1
c.b.a.com NS host2


this should produce "out of zone data" error. Since the b.a.com is
delegated, no subdomains of it should appear in a.com zone.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Microsoft dick is soft to do no harm
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: conflicting subdomain delegation

[Frank Liu]

bind9 resolver a simple cache only with root hint. no local zones.

On Tue, Nov 13, 2018 at 9:18 AM Lyle Giese  wrote:

> On 11/13/2018 11:04 AM, Frank Liu wrote:
>
> Hi,
>
> Is there a RFC determining which nameserver to use if there is a
> conflicting subdomain delegation?
>
> eg:
> In the zone of a.com, there are two NS delegations:
>
> b.a.com NS host1
> c.b.a.com NS host2
>
> On host1 in zone b.a.com, there is
> c.b.a.com NS host3
>
> As you can see, there is a conflicting delegation for c.b.a.com. If I
> look a name d.c.b.a.com, will the nameserver host2 or host3 be used?
> dig +trace seems to go to host2, but bind9 as a resolver goes to host3.
> (the test was done on a centos7).
>
> Any ideas?
> Thanks!
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing 
> listbind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users
>
> I would expect that behavior if the Bind9 resolver was setup to query
> host1.  If bind9 queries a server that is authoritive for b.a.com, I
> would expect that result.  If the bind9 resolver is setup to query a
> recursive only server(other than host1), I would expect the same behavior
> as the +trace result.
>
> so I think the answer is dependant on how your bind9 resolver is
> configured.
>
> Lyle Giese
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: conflicting subdomain delegation

[Lyle Giese]

On 11/13/2018 11:04 AM, Frank Liu wrote:

Hi,

Is there a RFC determining which nameserver to use if there is a 
conflicting subdomain delegation?


eg:
In the zone of a.com , there are two NS delegations:

b.a.com  NS host1
c.b.a.com  NS host2

On host1 in zone b.a.com , there is
c.b.a.com  NS host3

As you can see, there is a conflicting delegation for c.b.a.com 
. If I look a name d.c.b.a.com , 
will the nameserver host2 or host3 be used?

dig +trace seems to go to host2, but bind9 as a resolver goes to host3.
(the test was done on a centos7).

Any ideas?
Thanks!


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


I would expect that behavior if the Bind9 resolver was setup to query 
host1.  If bind9 queries a server that is authoritive for b.a.com, I 
would expect that result.  If the bind9 resolver is setup to query a 
recursive only server(other than host1), I would expect the same 
behavior as the +trace result.


so I think the answer is dependant on how your bind9 resolver is configured.

Lyle Giese

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users