Re: Joint DNSEXT & NGTRANS agenda

[bert hubert <ahu@ds9a.nl>]

On Thu, Aug 02, 2001 at 05:49:38PM +0700, Robert Elz wrote:
>   | When resolving, BIND 8 and 9 do reject
>   | all records that are not within the domain whose authoritative
>   | qservers are being queried.
> 
> That's broken, and should be fixed.  If it really is as you have
> explained it, it guarantees that some perfectly legal DNS configurations
> can never be properly resolved.

We had that problem. This leads to frantic phonecalls from Verisign, who
explained it all very clearly and kindly suggested we move to using glue
records ASAP. Verisign sees a very large number of requests on the (gtld?)
rootservers for your nameservers otherwise.

The situation was like this:

At Amnic:
	I.AM			NS 	select.powerdns.com.
	I.AM			NS 	mincore.powerdns.com.

At the GTLD servers:

	powerdns.com		NS	dns-us1.powerdns.net.
	powerdns.com		NS	dns-eu1.powerdns.net.
	dns-us1.powerdns.net	A	63.123.33.130
	dns-eu1.powerdns.net	A	213.244.168.217

on the dns-{us,eu}1.powerdns.net:

	select.powerdns.com 	A	212.72.48.170
	mincore.powerdns.com	A	204.198.135.70

This sequence does not allow WWW.I.AM to be resolved by Bind 8.2.3. If you
start from an empty cache, bind will not believe the answers it gets, and
get stuck.

We've now moved the I.AM NS records to the glued ns1.i.am and ns2.i.am,
which get sent in the additional section, thus helping bind.

I'm by nature not a bind-basher since I think it is unwise for competitors
to throw mud at eachother, but this *is* rather silly behaviour. Having said
that, writing a recursing nameserver is very difficult - so far we stick to
only being authoritative.

Regards,


bert

-- 
http://www.PowerDNS.com      Versatile DNS Services  
Trilab                       The Technology People   
'SYN! .. SYN|ACK! .. ACK!' - the mating call of the internet