On Jun 27, 2013, at 10:04 PM, Feng He <[email protected]> wrote: > Hi, > > Sorry for my not good english. > Says I have a domain a.com, whose NS records are: > ns1.b.com > ns2.b.com > > But b.com is not auth-resolved by my nameserver, for example, its > auth-servers are registrar's. > > a.com is auth-resolved by my own nameservers, the NS records look as: > > a.com. 111 IN NS ns1.b.com. > a.com. 111 IN NS ns2.b.com. > > But, if I add the zone b.com into the nameservers' zone file (though the zone > is not auth-resolved by my servers as I've said), and setup the A records > with fake IP for ns1.b.com and ns2.b.com. When query for: > dig a.com ns
You don't want to do this any more. That hasn't been necessary for maybe 15 years now. Your software should also log an error/warning if you do it. > The nameservers will answer with the additional section whose content is the > fake IPs. > > ;; ANSWER SECTION: > a.com. 111 IN NS ns1.b.com. > a.com. 111 IN NS ns2.b.com. > > ;; ADDITIONAL SECTION: > ns1.b.com. 111 IN A 1.2.3.4 > ns2.b.com. 111 IN A 5.6.7.8 > > Will this make the world's DNS cache not work? i.e, the ISP's public DNS > servers. It should not impact most of them. Anyone that isn't fetching this themselves and trusting what they receive is asking for trouble. http://www.kb.cert.org/vuls/id/418861 Is one fix. - Jared _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
