] Hi Anand, ] ] I should have provided a clearer explanation. :) And as Alwyn said, its really a gTLD issue more than a .au issue. ] Bind running in delegation-only mode will not resolve addresses where the ] name servers for the domain in question are (ultimately) all in another TLD ] and where the prime TLD registry does not support glue for nameservers in ] another TLD. This "delegation-only" mode feature was a patch added to BIND 9 shortly after Verisign put a wildcard *.com and *.net pointing at its SiteFinder web site. The intended effect is to ignore wildcards. To run BIND in "delegation-only" mode, you need to patch the software, and change your BIND configuration file to say what zones you want to be "delegation-only" (eg: "com" and "net"). I thought the need to support "delegation-only" configs was much reduced when Verisign suspended the wildcards *.com and *.net on October 4. Of course the wildcards could come back, but since there are currently no wildcards in *.com and *.net, I see no reason to configure com and net as delegation-only at this time, except maybe to test for unintended consequences of delegation-only. In the case of rescuegroup, it looks to me like the reason for the failure is that there are no NS records for rescuegroup.com (a.gtld-servers.net still returns NXDOMAIN on rescuegroup.com), therefore delegation-only mode (if configured for "com") should say that ns1.rescuegroup.com and ns2.rescuegroup.com are non-existent addresses. (Bear in mind that BIND can't distinguish between glue and synthesised records from a wildcard.) If this is a problem, I have two suggestions: (1) Configure BIND not to be delegation-only for com (2) Advise rescuegroup that they have a questionable configuration. On (2), they seem to use rescuegroup.com, but the gTLD servers do not have any NS records for rescuegroup.com, which is probably because their gTLD registrar (Network Solutions) lists rescuegroup.com as expired on 01-Nov-2003. Rescue Group should renew rescuegroup.com or stop using it (eg: change the DNS servers for rescuegroup.com.au so they don't refer to rescuegroup.com). Otherwise sooner or later the glue for the expired rescuegroup.com will go away, and then rescuegroup.com.au and afgonline.com.au will stop working for everyone (not just those who use delegation-only mode on .com). ] In my example afgonline.com.au nameservers are in .au (rescuegroup.com.au), ] but the nameservers for rescuegroup.com.au are in .com (rescuegroup.com) and ] resolution fails at that point - no glue. ] ] To ensure reliablility under the world according to delegation-only you need ] at least one nameserver completely within the same TLD or you become ] invisible to people who disagree with Verisign. ] ] This is not specific to .au and is not finger pointing, simply an ] observation. ] ] alwyn ] ] ----- Original Message ----- ] From: "Anand Kumria" <wildfire§progsoc.uts.edu.au> ] To: <dns§lists.auda.org.au> ] Sent: Thursday, November 20, 2003 2:44 PM ] Subject: Re: [DNS] BIND Delegation Only ] ] ] Hi Alwyn, ] ] I'm coming a bit late here and it would seem you've since resolved your ] problem. However I'm not sure I understand what the original problem ] was, could you elaborate futher? ] ] On Wed, Nov 12, 2003 at 04:55:55PM +1000, Alwyn Smith wrote: ] > This one had me going for a while because the problem was further up the ] dns ] > chain than I was looking. Hopefully this info may help someone else with ] > "inexplicable" dns failures on .au domains. ] > ] > afgonline.com.au would not resolve: ] > ] > afgonline.com.au. 2554 IN NS ns1.rescuegroup.com.au. ] > afgonline.com.au. 2554 IN NS ns2.rescuegroup.com.au. ] ] so, dig ns1.recusgroup.com.au and dig ns1.recusgroup.com.au would both ] fail? ] ] > ] > ns1.rescuegroup.com.au. 2554 IN A 203.103.84.232 ] > ns2.rescuegroup.com.au. 2554 IN A 210.11.148.5 ] ] Were these glue records for ausregistry.net or were they listed as NS in ] the zone file? ] ] > ] > rescuegroup.com.au. 2477 IN NS ns1.rescuegroup.com. ] > rescuegroup.com.au. 2477 IN NS ns2.rescuegroup.com. ] ] Same question as above. ] ] > ] > If you operate bind in "delegation only" mode then lookups of .au domains ] > with name servers _ultimately_ in "delegation only" domains will fail. ] ] So this is a client problem (i.e. the admin of a zone has setup ] delegation only) and there isn't much that a third party zone operator ] can do about things? ] ] Not sure I fully understand, and insight would be appreciated. ] ] Regards, ] Anand ] ] -- ] `` We are shaped by our thoughts, we become what we think. ] When the mind is pure, joy follows like a shadow that never ] leaves. '' -- Buddha, The Dhammapada ] ] --------------------------------------------------------------------------- ] List policy, unsubscribing and archives => http://dotau.org/ ] Please do not retransmit articles on this list without permission of the ] author, further information at the above URL. ] ] ] --------------------------------------------------------------------------- ] List policy, unsubscribing and archives => http://dotau.org/ ] Please do not retransmit articles on this list without permission of the ] author, further information at the above URL. ] ___________________________________________________________________________ David Keegel <djk§cybersource.com.au> http://www.cyber.com.au/users/djk/ Cybersource P/L: Linux/Unix Systems Administration Consulting/ContractingReceived on Fri Oct 03 2003 - 00:00:00 UTC
This archive was generated by hypermail 2.3.0 : Sat Sep 09 2017 - 22:00:07 UTC