Re: Delegation NS-records when zones share an authority server
> On 13 Apr 2023, at 06:44, Mark Andrews wrote: > > > >> On 13 Apr 2023, at 03:19, Fred Morris wrote: >> >> TLDR: NS records occur above and below zone cuts. >> >> On Wed, 12 Apr 2023, John Thurston wrote: >>> >>> We have authority over state.ak.us, which we publish as a public zone. We >>> also publish challenge.state.ak.us as a public zone. >>> >>> The public NS records for state.ak.us are: ns4.state.ak.us and >>> ns3.state.ak.us The NS records for challenge.state.ak.us are the same. >>> >>> I recently noticed there were no NS records _in the state.ak.us zone_ for >>> challenge.state.ak.us. >> >> So nothing above the zone cut == there is no zone cut. (IMO) >> >>> This had me scratching my head . . "how can this be working?", until I >>> remembered the same instances of BIND were serving out both zones. There >>> _were_ NS records in the challenge.state.ak.us zone, BIND had them, was >>> authoritative, so would answer with them; BIND didn't need to look in the >>> state.ak.us zone to find them. >> >> Yup. >> >>> Some experimentation shows that even if I insert NS records into >>> state.ak.us (for challenge.state.ak.us), BIND does not add them to its >>> answer when asked "dig NS challenge.state.ak.us". I interpret this to mean >>> that while this instance of BIND is authoritative for both zones, it >>> answers with information from the most specific zone it has, and ignores >>> values in the delegating zone. And that makes sense to me. >> >> Yup. >> >>> Now the question is, should I insert NS records into state.ak.us (for >>> challenge.state.ak.us) anyway? >>> [...] >>> >>> Unknown: >>> >>> * Does the answer change if we want to start signing either zone? >> >> I suspect you don't need the NS records in challenge.state.ak.us and if you >> remove them then the records in challenge.state.ak.us are simply part of the >> state.ak.us zone since they're served off of the same server. Glue records >> (above the cut) are essentially the same NS record(s) published on >> nameservers above the zone cut as within the zone on the nameservers for the >> zone proper (below the cut). >> >> On the other hand maybe whatever software you're using to manage / serve DNS >> does something with those records (or requires them since / if the two >> namespaces are loaded as separate zones). >> >> In terms of NXDOMAIN and SOA queries, both state.ak.us and >> challenge.state.ak.us seem to do the right thing in terms of pretending to >> be separate zones, e.g. in the first case returning the correct domain in >> the AUTHORITY and in the second case returning the relevant SOA records >> directly in the ANSWER. > > You need NS records in the parent domain to give correct answers to DS > queries (DATA or NODATA NOERROR vs NXDOMAIN) and to generate valid NSEC and > NSEC3 chains. Additionally if the parent zone is ever transferred to server > without the child zone clients will see a Schrödinger zone. Always add > delegating NS RRset and keep it consistent with the child zone. To demonstrate what I mean about DS. While named has code to handle this inconsistency other recursive servers may not as it is NOT a RFC requirement. % dig ds challenge.state.ak.us ;; BADCOOKIE, retrying. ; <<>> DiG 9.19.11-dev <<>> ds challenge.state.ak.us ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34581 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 13281432cf7c77c8010064371a0bdc1c24b7a7f4aaf4 (good) ;; QUESTION SECTION: ;challenge.state.ak.us. IN DS ;; AUTHORITY SECTION: state.ak.us. 3600 IN SOA ns3.state.ak.us. hostmaster.state.ak.us. 1681251385 3600 900 7776000 3600 ;; Query time: 1484 msec ;; SERVER: ::1#53(::1) (UDP) ;; WHEN: Thu Apr 13 06:52:27 AEST 2023 ;; MSG SIZE rcvd: 129 % dig soa challenge.state.ak.us ;; BADCOOKIE, retrying. ; <<>> DiG 9.19.11-dev <<>> soa challenge.state.ak.us ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9228 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 5babd4f25d912557010064371a19b455b75c97d45a2c (good) ;; QUESTION SECTION: ;challenge.state.ak.us. IN SOA ;; ANSWER SECTION: challenge.state.ak.us. 21600 IN SOA ns3.state.ak.us. hostmaster.state.ak.us. 2018034113 3600 300 86400 120 ;; Query time: 255 msec ;; SERVER: ::1#53(::1) (UDP) ;; WHEN: Thu Apr 13 06:52:41 AEST 2023 ;; MSG SIZE rcvd: 129 % >> -- >> >> Fred Morris, internet plumber >> >> >> -- >> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from >> this list >> >> ISC funds the development of this software with paid support subscriptions. >> Contact us at https://www.isc.org/contact/ for more information. >> >> >> bind-users mailing list >> bind-users@lists.isc.org >>
Re: Delegation NS-records when zones share an authority server
On 13/04/2023 5:58 am, Havard Eidnes via bind-users wrote: I suspect you don't need the NS records in challenge.state.ak.us and if you remove them then the records in challenge.state.ak.us are simply part of the state.ak.us zone since they're served off of the same server. Unfortunately "not quite". While a publishing name server will respond with data from the most specific zone available to it when queried (e.g. for the NS records for challenge.state.ak.us), this "overriding" or "leakage" does not happen when you do a zone transfer of the parent zone (state.ak.us). So ... if you have a publishing name server which is a name server for state.ak.us and not for challenge.state.ak.us, it will *not* have the delegation NS RRset for challenge.state.ak.us, and if a recursor happens to query this particular publishing name server as part of the process of resolving a name in challenge.state.ak.us, it will get an apparently-spurious NXDOMAIN response. I think the suggestion was for the other way around - i.e. NS in parent zone only? But that is also not a good idea. I'll defer to RFC 1034 section 4.2.1 for the details: Though logically part of the authoritative data, the RRs that describe the top node of the zone are especially important to the zone's management. These RRs are of two types: name server RRs that list, one per RR, all of the servers for the zone, and a single SOA RR that describes zone management parameters. The RRs that describe cuts around the bottom of the zone are NS RRs that name the servers for the subzones. Since the cuts are between nodes, these RRs are NOT part of the authoritative data of the zone, and should be exactly the same as the corresponding RRs in the top node of the subzone. Since name servers are always associated with zone boundaries, NS RRs are only found at nodes which are the top node of some zone. In the data that makes up a zone, NS RRs are found at the top node of the zone (and are authoritative) and at cuts around the bottom of the zone (where they are not authoritative), but never in between. The terminology is a bit confusing, but it boils down to this: The NS records for the zone must be included in the zone itself, and also in the parent zone. Nick. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Delegation NS-records when zones share an authority server
> On 13 Apr 2023, at 03:19, Fred Morris wrote: > > TLDR: NS records occur above and below zone cuts. > > On Wed, 12 Apr 2023, John Thurston wrote: >> >> We have authority over state.ak.us, which we publish as a public zone. We >> also publish challenge.state.ak.us as a public zone. >> >> The public NS records for state.ak.us are: ns4.state.ak.us and >> ns3.state.ak.us The NS records for challenge.state.ak.us are the same. >> >> I recently noticed there were no NS records _in the state.ak.us zone_ for >> challenge.state.ak.us. > > So nothing above the zone cut == there is no zone cut. (IMO) > >> This had me scratching my head . . "how can this be working?", until I >> remembered the same instances of BIND were serving out both zones. There >> _were_ NS records in the challenge.state.ak.us zone, BIND had them, was >> authoritative, so would answer with them; BIND didn't need to look in the >> state.ak.us zone to find them. > > Yup. > >> Some experimentation shows that even if I insert NS records into state.ak.us >> (for challenge.state.ak.us), BIND does not add them to its answer when asked >> "dig NS challenge.state.ak.us". I interpret this to mean that while this >> instance of BIND is authoritative for both zones, it answers with >> information from the most specific zone it has, and ignores values in the >> delegating zone. And that makes sense to me. > > Yup. > >> Now the question is, should I insert NS records into state.ak.us (for >> challenge.state.ak.us) anyway? >> [...] >> >> Unknown: >> >> * Does the answer change if we want to start signing either zone? > > I suspect you don't need the NS records in challenge.state.ak.us and if you > remove them then the records in challenge.state.ak.us are simply part of the > state.ak.us zone since they're served off of the same server. Glue records > (above the cut) are essentially the same NS record(s) published on > nameservers above the zone cut as within the zone on the nameservers for the > zone proper (below the cut). > > On the other hand maybe whatever software you're using to manage / serve DNS > does something with those records (or requires them since / if the two > namespaces are loaded as separate zones). > > In terms of NXDOMAIN and SOA queries, both state.ak.us and > challenge.state.ak.us seem to do the right thing in terms of pretending to be > separate zones, e.g. in the first case returning the correct domain in the > AUTHORITY and in the second case returning the relevant SOA records directly > in the ANSWER. You need NS records in the parent domain to give correct answers to DS queries (DATA or NODATA NOERROR vs NXDOMAIN) and to generate valid NSEC and NSEC3 chains. Additionally if the parent zone is ever transferred to server without the child zone clients will see a Schrödinger zone. Always add delegating NS RRset and keep it consistent with the child zone. > -- > > Fred Morris, internet plumber > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Delegation NS-records when zones share an authority server
> I suspect you don't need the NS records in challenge.state.ak.us and > if you remove them then the records in challenge.state.ak.us are > simply part of the state.ak.us zone since they're served off of the > same server. Unfortunately "not quite". While a publishing name server will respond with data from the most specific zone available to it when queried (e.g. for the NS records for challenge.state.ak.us), this "overriding" or "leakage" does not happen when you do a zone transfer of the parent zone (state.ak.us). So ... if you have a publishing name server which is a name server for state.ak.us and not for challenge.state.ak.us, it will *not* have the delegation NS RRset for challenge.state.ak.us, and if a recursor happens to query this particular publishing name server as part of the process of resolving a name in challenge.state.ak.us, it will get an apparently-spurious NXDOMAIN response. I understand this isn't the case right now, but this is a problem which might come and bite your behind if you later decide to change the NS RRsets so that they are no longer equal for the two zones. So the long and short of my advice: do the delegations properly by copying the NS RRset from the child to the parent, plus any required address glue records, and this particular problem will not become an issue. Best regards, - Håvard -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Delegation NS-records when zones share an authority server
it'll matter when you decide to add DNSSEC to the zone, and it's also good hygiene in the absence of DNSSEC so that any future maintainer can be reminded that there is a subdomain at that name when looking at the parent. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Delegation NS-records when zones share an authority server
TLDR: NS records occur above and below zone cuts. On Wed, 12 Apr 2023, John Thurston wrote: We have authority over state.ak.us, which we publish as a public zone. We also publish challenge.state.ak.us as a public zone. The public NS records for state.ak.us are: ns4.state.ak.us and ns3.state.ak.us The NS records for challenge.state.ak.us are the same. I recently noticed there were no NS records _in the state.ak.us zone_ for challenge.state.ak.us. So nothing above the zone cut == there is no zone cut. (IMO) This had me scratching my head . . "how can this be working?", until I remembered the same instances of BIND were serving out both zones. There _were_ NS records in the challenge.state.ak.us zone, BIND had them, was authoritative, so would answer with them; BIND didn't need to look in the state.ak.us zone to find them. Yup. Some experimentation shows that even if I insert NS records into state.ak.us (for challenge.state.ak.us), BIND does not add them to its answer when asked "dig NS challenge.state.ak.us". I interpret this to mean that while this instance of BIND is authoritative for both zones, it answers with information from the most specific zone it has, and ignores values in the delegating zone. And that makes sense to me. Yup. Now the question is, should I insert NS records into state.ak.us (for challenge.state.ak.us) anyway? [...] Unknown: * Does the answer change if we want to start signing either zone? I suspect you don't need the NS records in challenge.state.ak.us and if you remove them then the records in challenge.state.ak.us are simply part of the state.ak.us zone since they're served off of the same server. Glue records (above the cut) are essentially the same NS record(s) published on nameservers above the zone cut as within the zone on the nameservers for the zone proper (below the cut). On the other hand maybe whatever software you're using to manage / serve DNS does something with those records (or requires them since / if the two namespaces are loaded as separate zones). In terms of NXDOMAIN and SOA queries, both state.ak.us and challenge.state.ak.us seem to do the right thing in terms of pretending to be separate zones, e.g. in the first case returning the correct domain in the AUTHORITY and in the second case returning the relevant SOA records directly in the ANSWER. -- Fred Morris, internet plumber -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
