> On 13 Apr 2023, at 03:19, Fred Morris <m3...@m3047.net> wrote: > > TLDR: NS records occur above and below zone cuts. > > On Wed, 12 Apr 2023, John Thurston wrote: >> >> We have authority over state.ak.us, which we publish as a public zone. We >> also publish challenge.state.ak.us as a public zone. >> >> The public NS records for state.ak.us are: ns4.state.ak.us and >> ns3.state.ak.us The NS records for challenge.state.ak.us are the same. >> >> I recently noticed there were no NS records _in the state.ak.us zone_ for >> challenge.state.ak.us. > > So nothing above the zone cut == there is no zone cut. (IMO) > >> This had me scratching my head . . "how can this be working?", until I >> remembered the same instances of BIND were serving out both zones. There >> _were_ NS records in the challenge.state.ak.us zone, BIND had them, was >> authoritative, so would answer with them; BIND didn't need to look in the >> state.ak.us zone to find them. > > Yup. > >> Some experimentation shows that even if I insert NS records into state.ak.us >> (for challenge.state.ak.us), BIND does not add them to its answer when asked >> "dig NS challenge.state.ak.us". I interpret this to mean that while this >> instance of BIND is authoritative for both zones, it answers with >> information from the most specific zone it has, and ignores values in the >> delegating zone. And that makes sense to me. > > Yup. > >> Now the question is, should I insert NS records into state.ak.us (for >> challenge.state.ak.us) anyway? >> [...] >> >> Unknown: >> >> * Does the answer change if we want to start signing either zone? > > I suspect you don't need the NS records in challenge.state.ak.us and if you > remove them then the records in challenge.state.ak.us are simply part of the > state.ak.us zone since they're served off of the same server. Glue records > (above the cut) are essentially the same NS record(s) published on > nameservers above the zone cut as within the zone on the nameservers for the > zone proper (below the cut). > > On the other hand maybe whatever software you're using to manage / serve DNS > does something with those records (or requires them since / if the two > namespaces are loaded as separate zones). > > In terms of NXDOMAIN and SOA queries, both state.ak.us and > challenge.state.ak.us seem to do the right thing in terms of pretending to be > separate zones, e.g. in the first case returning the correct domain in the > AUTHORITY and in the second case returning the relevant SOA records directly > in the ANSWER.
You need NS records in the parent domain to give correct answers to DS queries (DATA or NODATA NOERROR vs NXDOMAIN) and to generate valid NSEC and NSEC3 chains. Additionally if the parent zone is ever transferred to server without the child zone clients will see a Schrödinger zone. Always add delegating NS RRset and keep it consistent with the child zone. > -- > > Fred Morris, internet plumber > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > email@example.com > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list firstname.lastname@example.org https://lists.isc.org/mailman/listinfo/bind-users