[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AXFR & NS records at delegation points

To: namedroppers@internic.net, dns-security@TIS.COM
Subject: AXFR & NS records at delegation points
From: Brian Wellington <bwelling@TIS.COM>
Date: Fri, 29 May 1998 15:49:04 -0400 (EDT)

In prototyping DNSSEC functions in BIND, we've come across a problem
concerning zone transfers.   This problem is not specific to DNSSEC,
however.

The problem is determining what is returned (specifically regarding the NS
record) at delegation points in a zone when the source of the transfer is
authoritative for both the zone being transfered and the zone below the
delegation point.

Example 1:
zone.bar.com:
	...
	foo	NS	a.foo.bar.com
	...

zone.foo.bar.com:
	...
	@	NS	b.foo.bar.com

As an example, say our nameserver is serving bar.com and foo.bar.com.  When
the name server receives an AXFR request for bar.com, which NS record does it
include for foo.bar.com?  The one from the bar.com zone or the (more credible)
one from the foo.bar.com zone?  In BIND, only the more credible record is
stored (the other is expunged from memory).

The data from the lower zone is more credible, but including it leads to a
problem where two servers can both be serving bar.com and contain the same
serial number in the SOA, but if only one is serving foo.bar.com, the AXFR
will contain different data.  In other words, for a secondary claiming serial
number = 1998052913, the NS record would be a.foo.bar from a server
authoritative only for the bar.com zone, and it would be b.foo.bar.com from a
server authoritative for both zones.


Example 2:
zone.bar.com:
	...
	foo	NS	a.foo.bar.com
	...

zone.foo.bar.com.signed:
	...
	@	NS	a.foo.bar.com
		SIG	NS ...
	...

This also related to DNSSEC.  If the upper zone is unsigned and the lower zone
is signed, the upper zone will overwrite (in BIND, at least) its unsigned NS
record for foo.bar.com with the signed one from the lower zone.  Should the
AXFR contain the SIG NS record or not?

Additionally, there may be a similar problem with KEY records, as the parent
and child zones both contain KEY records at delegation points.  In this case,
though, the parent should not contain the key record in the first place.

Any suggestions?

Brian

Prev by Date: Notify not being sent after update
Next by Date: Re: AXFR & NS records at delegation points
Prev by thread: Re: tsig-04 incompatable w/ RFC 2136 Section 6
Next by thread: Re: AXFR & NS records at delegation points
Index(es):
- Date
- Thread