On Thu, Aug 02, 2001 at 05:49:38PM +0700, Robert Elz wrote:
> | When resolving, BIND 8 and 9 do reject
> | all records that are not within the domain whose authoritative
> | qservers are being queried.
>
> That's broken, and should be fixed. If it really is as you have
> explained it, it guarantees that some perfectly legal DNS configurations
> can never be properly resolved.
We had that problem. This leads to frantic phonecalls from Verisign, who
explained it all very clearly and kindly suggested we move to using glue
records ASAP. Verisign sees a very large number of requests on the (gtld?)
rootservers for your nameservers otherwise.
The situation was like this:
At Amnic:
I.AM NS select.powerdns.com.
I.AM NS mincore.powerdns.com.
At the GTLD servers:
powerdns.com NS dns-us1.powerdns.net.
powerdns.com NS dns-eu1.powerdns.net.
dns-us1.powerdns.net A 63.123.33.130
dns-eu1.powerdns.net A 213.244.168.217
on the dns-{us,eu}1.powerdns.net:
select.powerdns.com A 212.72.48.170
mincore.powerdns.com A 204.198.135.70
This sequence does not allow WWW.I.AM to be resolved by Bind 8.2.3. If you
start from an empty cache, bind will not believe the answers it gets, and
get stuck.
We've now moved the I.AM NS records to the glued ns1.i.am and ns2.i.am,
which get sent in the additional section, thus helping bind.
I'm by nature not a bind-basher since I think it is unwise for competitors
to throw mud at eachother, but this *is* rather silly behaviour. Having said
that, writing a recursing nameserver is very difficult - so far we stick to
only being authoritative.
Regards,
bert
--
http://www.PowerDNS.com Versatile DNS Services
Trilab The Technology People
'SYN! .. SYN|ACK! .. ACK!' - the mating call of the internet
