[nsd-users] NSD 4.0.1: referral from parent instead of SERVFAIL
Peter Koch
pk at DENIC.DE
Tue Jan 28 17:12:57 UTC 2014
On Tue, Jan 28, 2014 at 05:30:25PM +0100, Anand Buddhdev wrote:
> ;; AUTHORITY SECTION:
> 14.109.in-addr.arpa. 172800 IN NS ns.ripe.net.
> 14.109.in-addr.arpa. 172800 IN NS nsrev00.dns.sfr.net.
> 14.109.in-addr.arpa. 172800 IN NS nsrev01.dns.sfr.net.
>
> Why doesn't NSD do a closest match and return SERVFAIL?
in this case, ns.ripe.net does not know about the zone, but the
other two servers respond authoritatively. That means a resolver
starting at "ns.ripe.net" can recover only by using another one
of 109.in-addr.arpa's servers, whereas the NSD behaviour would
make possible a recovery one level below. Not saying it is _the_
way to go, but it makes a lot of sense to me. And then there's DNSSEC,
suggesting to be extra careful with child/grandchild zone interaction.
-Peter
More information about the nsd-users
mailing list