To:
Bruce Campbell <bruce.campbell@apnic.net>
cc:
dnsop@cafax.se
From:
Robert Elz <kre@munnari.OZ.AU>
Date:
Thu, 10 May 2001 23:38:55 +0700
In-Reply-To:
<Pine.BSF.4.21.0105100927150.43413-100000@julubu.staff.apnic.net>
Sender:
owner-dnsop@cafax.se
Subject:
Re: Should a nameserver know about itself?
Date: Thu, 10 May 2001 09:50:26 +1000 (EST) From: Bruce Campbell <bruce.campbell@apnic.net> Message-ID: <Pine.BSF.4.21.0105100927150.43413-100000@julubu.staff.apnic.net> | Right. Now that we've gotten that out of the way, can anyone suggest a | *reliable* test for verifying that a nameserver is responding ( which is | seperate from verifying that a nameserver is authoritatively serving a | given zone ) There have been some suggestions for that, but ... why??? If you know (either empirically, or by having been referred from another server) that a nameserver is supposed to serve a particular zone, then you send it a query about that zone. If it sends you back some kind of DNS response, then it has a DNS implementation. If it sends you back good data about the zone, then it is configured to handle the zone (so you get two answers for the price of one...) If you don't know any zone that a server is supposed to be serving, why would you ever care if it has a DNS server on it or not? (Unless it is supposed to be your local back end resolver I suppose, but I doubt that is the case you're concerned with). That is, if you're never going to send it a query, why would you care what it would say if you did? What does it matter? So, just check if it serves the zone that you're being asked to delegate. If it does that, then you know (also, for free) that it must also have a responding nameserver. If it doesn't, you should be able to work out from what happened whether the problem is no nameserver at all (you get ICMP port unreachable, no response at all, TCP reset, ...) or perhaps a firewall filtering you from the nameserver, which is effectively the same thing, or a nameserver that just doesn't know the zone (a referral, a NXDOMAIN, a non-auth answer, a list of NS records that doesn't include itself, ...). The only real point in distinguishing is to give a better reason to supply for refusing to do the delegation. kre