[nsd-users] 'deeper' labels and a covering NS delegation
wouter at nlnetlabs.nl
Tue Mar 5 14:22:10 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
On 03/05/2013 02:53 PM, Jeroen Massar wrote:
> I did something silly in the following form:
> 8<---------------------------- $TTL 14400 $ORIGIN example.org.
> @ IN SOA localhost. dns.example.org. (2013022402 10800 3600 2419200
> 14400 ) NS ns1.example.net. NS ns2.example.net. NS
> test.very.deep.label.subdomain TXT "Deep Label"
> subdomain NS ns1.example.net. NS
> ns2.example.net. NS ns3.example.net.
> Fun detail in this silly thing is that we do not provide
> subdomain.example.org to nsd, that is we do not configure it.
> The 'test.very.deep.label.subdomain' apparently can never be
> queried as the NS entry overrules it and thus we just get an
> endless redirect to ns1/2/3.example.net (till the DNS client gives
> up rightly ;).
This is by design. The TXT record is occluded and is not served.
This situation happens normally when a master (a dynamic update
configured machine) is removing a part of a zone to replace it with a
delegation to a remote machine. To make this atomic, the delegation
is placed first (and takes precendence) and then the TXT record and
other records can be removed piecemeal.
You can also move in reverse. Put the zone content in place record by
record and then remove the NS records at once to atomically place the
subdomain inside the example.com zone with all its records.
> For silly people like me, it would I think be a good idea to at
> least warn about the above case, that is the deeper label, the
> re-delegation to the same host is a standard delegation thing and a
> misconfiguration which though could be valid; the deeper label
> should never be valid though.
> A 'nsdc rebuild' will silently proceed without any warning. (On nsd
> 3.2.9-1 that is)
Yes, because it is a valid situation during certain dynamic update
transactions. And NSD does not know what is going on, since the
master performs the dynamic updates.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the nsd-users