Re: Glue record miunderstanding
Yeah, I just ran a few queries and can't figure out what exactly it's complaining about. Matt It's making a observation (i in a blue circle) that there were not additional records for ns1.nacio.com being returned by ns1.hostwizard.com presumable because ns1.hostwizard.com doesn't serve the zone that contains ns1.nacio.com. There is nothing wrong with this. These records are NOT GLUE records. Only parent servers return GLUE records. That being said there would be a error condition if the address (A/) record for ns1.hostwizard.com didn't exist except as glue. The way to check for that is to make a query for ns1.hostwizard.com and follow all the delegations until you get to the zone that serves ns1.hostwizard.com. Modern versions of named attempt to detect glue only delegations and refuse to load zones that contain have them. Thank you for the explanation Mark. Also I was not aware that newer versions of named would refuse to load zones that were in error of glue only. This is good to know. Thank you. -- Scott * If you contact me off list replace talklists@ with scott@ * ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Glue record miunderstanding
On 01-Oct-2009, at 16:03, Scott Haneda wrote: Is it also correct, I only need a NS glue record for the actual NS itself. There does not need to be a glue record for very zone that I am providing DNS for? On 01.10.09 18:25, Matthew Pounsett wrote: The only case where glue *must* be present is when a nameserver name is a subdomain of the zone it's authoritative for. So, if ns1.example.com is one of the nameservers for example.com, then there must be glue in the com zone. In all other cases it is not required. However, some registries may include glue even when its not necessary, since it simplifies the logic of generating their zone. and often breaks when the A record of nameserver changes. To check if glue is present, ask your parent's nameservers for some record inside your zone. When you get back the delegation response, if glue is present it'll be included in the ADDITIONAL section. to check if glue is present in the zone, you usually must see the zone. the exception is when you know that the server doesn't have any other zones loaded where the record could appear. Here's a real-world example. In this case, glue is unnecessary in the com zone, but Verisign is including it anyway: 18:24:04 % dig +norec IN A www.example.com @a.gtld-servers.net ;; AUTHORITY SECTION: example.com. 172800 IN NS a.iana-servers.net. example.com. 172800 IN NS b.iana-servers.net. ;; ADDITIONAL SECTION: a.iana-servers.net. 172800 IN A 192.0.34.43 b.iana-servers.net. 172800 IN A 193.0.0.236 the server returns glue records in additional section because it's also authoritative for .net and iana-servers.net has those glue records in .net zone. Therefore server constructed response of all data it has loaded: % dig any iana-servers.net. @a.gtld-servers.net ;; ANSWER SECTION: iana-servers.net. 172800 IN NS a.iana-servers.net. iana-servers.net. 172800 IN NS b.iana-servers.org. iana-servers.net. 172800 IN NS c.iana-servers.net. iana-servers.net. 172800 IN NS d.iana-servers.net. iana-servers.net. 172800 IN NS ns.icann.org. ;; ADDITIONAL SECTION: a.iana-servers.net. 172800 IN A 192.0.34.43 c.iana-servers.net. 172800 IN A 139.91.1.10 d.iana-servers.net. 172800 IN A 208.77.188.44 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Glue record miunderstanding
Hello, I believe I understand what a glue record is, and why I would need one. I would like some clarification if possible. While I am not the hugest fan of the dns report services, this report was brought to my attention: http://www.intodns.com/hostwizard.com It says I am missing glue for my ns1 at 64.84.37.14 This domain is registered through goDaddy. First Question: What is the procedure for using `dig` to determine that I am in fact missing an A record for my NS at the parent NS? I would like to confirm their message. Second, I logged into the control panel at GoDaddy, (I do not mind switching registrars, though I find it hard to believe they do not supply glue records for NS's), and I see something that looks like a glue record area. http://dl.getdropbox.com/u/340087/Drops/10.01.09/dns-8234d865-130008.png However, I did not add that data, it was already there. It also references IPv6, and any edits or changes to it do not seem to stick. I emailed support at GoDaddy, asking how to add a glue record through their system. I am not sure they understood the issue at hand, but this is what I recieved back: Thank you for contacting Online Support. Unfortunately this is not something you would be able to setup through us. We apologize for any inconvenience. Is it also correct, I only need a NS glue record for the actual NS itself. There does not need to be a glue record for very zone that I am providing DNS for? Thanks for any suggestions. -- Scott * If you contact me off list replace talklists@ with scott@ * ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Glue record miunderstanding
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01-Oct-2009, at 16:03, Scott Haneda wrote: Is it also correct, I only need a NS glue record for the actual NS itself. There does not need to be a glue record for very zone that I am providing DNS for? The only case where glue *must* be present is when a nameserver name is a subdomain of the zone it's authoritative for. So, if ns1.example.com is one of the nameservers for example.com, then there must be glue in the com zone. In all other cases it is not required. However, some registries may include glue even when its not necessary, since it simplifies the logic of generating their zone. To check if glue is present, ask your parent's nameservers for some record inside your zone. When you get back the delegation response, if glue is present it'll be included in the ADDITIONAL section. Here's a real-world example. In this case, glue is unnecessary in the com zone, but Verisign is including it anyway: 18:24:04 % dig +norec IN A www.example.com @a.gtld-servers.net ; DiG 9.4.3-P3 +norec IN A www.example.com @a.gtld-servers.net ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 55065 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.example.com. IN A ;; AUTHORITY SECTION: example.com.172800 IN NS a.iana-servers.net. example.com.172800 IN NS b.iana-servers.net. ;; ADDITIONAL SECTION: a.iana-servers.net. 172800 IN A 192.0.34.43 b.iana-servers.net. 172800 IN A 193.0.0.236 ;; Query time: 65 msec ;; SERVER: ;; WHEN: Thu Oct 1 18:24:13 2009 ;; MSG SIZE rcvd: 113 -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.11 (Darwin) iEYEARECAAYFAkrFLHkACgkQmFeRJ0tjIxF8qwCeILXgTweMvfy5/44oA3PTV//G z5YAoJBBRer7pj1RE9xfUdGG2GugFUfM =crTH -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Glue record miunderstanding
On Oct 1, 2009, at 3:25 PM, Matthew Pounsett wrote: On 01-Oct-2009, at 16:03, Scott Haneda wrote: Is it also correct, I only need a NS glue record for the actual NS itself. There does not need to be a glue record for very zone that I am providing DNS for? The only case where glue *must* be present is when a nameserver name is a subdomain of the zone it's authoritative for. So, if ns1.example.com is one of the nameservers for example.com, then there must be glue in the com zone. In all other cases it is not required. However, some registries may include glue even when its not necessary, since it simplifies the logic of generating their zone. To check if glue is present, ask your parent's nameservers for some record inside your zone. When you get back the delegation response, if glue is present it'll be included in the ADDITIONAL section. Here's a real-world example. In this case, glue is unnecessary in the com zone, but Verisign is including it anyway: 18:24:04 % dig +norec IN A www.example.com @a.gtld-servers.net ; DiG 9.4.3-P3 +norec IN A www.example.com @a.gtld- servers.net ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 55065 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.example.com. IN A ;; AUTHORITY SECTION: example.com.172800 IN NS a.iana-servers.net. example.com.172800 IN NS b.iana-servers.net. ;; ADDITIONAL SECTION: a.iana-servers.net. 172800 IN A 192.0.34.43 b.iana-servers.net. 172800 IN A 193.0.0.236 ;; Query time: 65 msec ;; SERVER: ;; WHEN: Thu Oct 1 18:24:13 2009 ;; MSG SIZE rcvd: 113 Taking your example: $dig +norec IN A ns1.hostwizard.com @a.gtld-servers.net ; DiG 9.4.3-P3 +norec IN A ns1.hostwizard.com @a.gtld- servers.net ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 31543 ;; flags: qr; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;ns1.hostwizard.com.IN A ;; ANSWER SECTION: ns1.hostwizard.com. 172800 IN A 64.84.37.14 ;; AUTHORITY SECTION: hostwizard.com. 172800 IN NS ns1.hostwizard.com. hostwizard.com. 172800 IN NS ns1.nacio.com. ;; ADDITIONAL SECTION: ns1.hostwizard.com. 172800 IN A 64.84.37.14 ns1.nacio.com. 172800 IN A 64.84.0.18 ;; Query time: 252 msec ;; SERVER: 2001:503:a83e::2:30#53(2001:503:a83e::2:30) ;; WHEN: Thu Oct 1 16:00:56 2009 ;; MSG SIZE rcvd: 122 So I see my NS is listed in the additional section. This to me tells me there is in fact glue, so I should consider the report at http://intodns.com/hostwizard.com to be inaccurate? -- Scott * If you contact me off list replace talklists@ with scott@ * ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Glue record miunderstanding
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01-Oct-2009, at 19:03, Scott Haneda wrote: So I see my NS is listed in the additional section. This to me tells me there is in fact glue, so I should consider the report at http://intodns.com/hostwizard.com to be inaccurate? Yeah, I just ran a few queries and can't figure out what exactly it's complaining about. Matt -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.11 (Darwin) iEYEARECAAYFAkrFTN4ACgkQmFeRJ0tjIxHkYwCfdIo1dfhDzGov84ouWPviqWrk 5IIAnAy44CUqm7gfX43PQ88KOdUQv47K =XnOk -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Glue record miunderstanding
In message 73e2882f-00b3-41cb-b46d-351774486...@conundrum.com, Matthew Pounse tt writes: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01-Oct-2009, at 19:03, Scott Haneda wrote: So I see my NS is listed in the additional section. This to me tells me there is in fact glue, so I should consider the report at http://i ntodns.com/hostwizard.com to be inaccurate? Yeah, I just ran a few queries and can't figure out what exactly it's complaining about. Matt It's making a observation (i in a blue circle) that there were not additional records for ns1.nacio.com being returned by ns1.hostwizard.com presumable because ns1.hostwizard.com doesn't serve the zone that contains ns1.nacio.com. There is nothing wrong with this. These records are NOT GLUE records. Only parent servers return GLUE records. That being said there would be a error condition if the address (A/) record for ns1.hostwizard.com didn't exist except as glue. The way to check for that is to make a query for ns1.hostwizard.com and follow all the delegations until you get to the zone that serves ns1.hostwizard.com. Modern versions of named attempt to detect glue only delegations and refuse to load zones that contain have them. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
