Dnssec delegation NS RRset

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Dnssec delegation NS RRset

Bind-Users forum mailing list
I am getting the following warning:

The following NS name(s) were found in the authoritative NS RRset, but not in the delegation NS RRset (i.e., in the com zone): (a DNS server)

The DNS server exists and is used by other domains, so This is something specific to this one domain and not to the DNS servers, so I think it must be something on the registrar.

Missing glue records?

--
You have the effrontery to be squeamish, it thought at him. But we
        were dragons. We were supposed to be cruel, cunning, heartless,
        and terrible. But this much I can tell you, you ape - the great
        face pressed even closer, so that Wonse was staring into the
        pitiless depths of his eyes - we never burned and tortured and
        ripped one another apart and called it morality. --Guards!
        Guards!

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Dnssec delegation NS RRset

Matthew Richardson
You may find people can give better answers if you tell us the domain name.

The issue does not sound like glue, but there is not enough informmation to
go on.

Best wishes,
Matthew
 ------
>From: "@lbutlr via bind-users" <[hidden email]>
>To: bind-users <[hidden email]>
>Cc:
>Date: Sat, 27 Mar 2021 03:30:09 -0600
>Subject: Dnssec delegation NS RRset

>I am getting the following warning:
>
>The following NS name(s) were found in the authoritative NS RRset, but not in the delegation NS RRset (i.e., in the com zone): (a DNS server)
>
>The DNS server exists and is used by other domains, so This is something specific to this one domain and not to the DNS servers, so I think it must be something on the registrar.
>
>Missing glue records?

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Dnssec delegation NS RRset

Bind-Users forum mailing list
In reply to this post by Bind-Users forum mailing list
> I am getting the following warning:
>
> The following NS name(s) were found in the authoritative NS
> RRset, but not in the delegation NS RRset (i.e., in the com
> zone): (a DNS server)

This sounds like there is a mismatch between the NS RRset for the
zone on the authoritative NSes for the zone and the delegation NS
RRset from the parent zone.  For a proper setup, these two NS
RRsets needs to be identical, and it's the zone owner's duty to
ensure that is the case.  Updating the NS RRset in the parent is
often done using other means than the DNS protocol itself.

> Missing glue records?

Maybe I'm splitting hairs here...

https://tools.ietf.org/html/rfc8499

says about "glue records":
      A later definition is that glue "includes any record in a zone
      file that is not properly part of that zone, including nameserver
      records of delegated sub-zones (NS records), address records that
      accompany those NS records (A, AAAA, etc), and any other stray
      data that might appear."  (Quoted from [RFC2181], Section 5.4.1)

So... According to that wider definition of "glue records", yes,
there may be missing NS records in the delegation NS RRset in the
delegating zone.

If you use the more narrow definition of "glue records", that it
only consists of address records for the names corresponding to
the NS records in delegations, I would say "probably not".

Regards,

- HÃ¥vard
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users