This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
clueing in TLD registries for delegations to non-BIND servers
- Previous message (by thread): clueing in TLD registries for delegations to non-BIND servers
- Next message (by thread): clueing in TLD registries for delegations to non-BIND servers
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Stefan Paletta
stefanp at cabal1.com
Sun Feb 9 22:56:27 CET 2003
[please do not explicitly send copies of followups to me] Brad Knowles wrote/schrieb/scripsit: > In which case, it is impossible to configure nsd to "do the right > thing", even if this feature wasn't turned on by default. If you > don't configure the root zone, then you get SERVFAIL instead. If you > do, then you get bogus information. We need a third way, one that > gives us the right answer. There is no One True Lame Delegation Answer. Servers have always re- sponded differently when a delegation was lame. For example, suppose I had configured the cabal1.net nameservers like: $ORIGIN cabal1.net. ; SOA yadda yadaa foobar NS k k A 193.0.14.129 ; address of k.root-servers.net Then, when a client had learned that k.cabal1.net at address 193.0.14.129 was supposed to know about foobar.cabal1.net, this nameserver, when asked for the address of foobar.cabal1.net, would respond with an authoritative referral to the net servers. The client would notice that this was a lame delegation and then throw away the information received, because it would be vulnerable to poisoning otherwise. Similarly, BIND servers usually have a root.cache file, even when they are not acting as recursive resolvers. As a consequence, under certain circumstances, all they could do when asked for information they did not have was to return their knowledge of the root servers. They would do this non-authoritatively because the root.cache information is not their authoritative knowledge. No matter if this is even an authorita- tive answer (i.e. the server had a local root zone configured) or not, the client will notice that the delegation is lame and then throw away the (possibly bogus) information. So, there is absolutely nothing magic about returning a referral to the roots. Many possible -- and correct -- responses to a lame delegation exist and one of them is to simply return SERVFAIL for lack of better knowledge. -Stefan -- junior guru SP666-RIPE SMP@{IRC,SILC}
- Previous message (by thread): clueing in TLD registries for delegations to non-BIND servers
- Next message (by thread): clueing in TLD registries for delegations to non-BIND servers
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]