[Opendnssec-user] occluded data?

Rickard Bellgrim rickard.bellgrim at iis.se
Sat Nov 20 09:03:28 UTC 2010


On 19 nov 2010, at 15.55, Michael Braunoeder wrote:

> The zonefile looks like this:
> 
> at.     172800  IN      NS      d.nic.at.
> at.     172800  IN      NS      j.nic.at.
> at.     172800  IN      NS      n.nic.at.
> at.     172800  IN      NS      ns1.univie.ac.at.
> at.     172800  IN      NS      ns2.univie.ac.at.
> at.     172800  IN      NS      ns9.univie.ac.at.
> at.     172800  IN      NS      ns-uk.nic.at.
> 
> and contains the corresponding A and AAAA glue records.
> 
> From my point of view, this is a valid setup or do I miss something?

Sorry for the spamming, but I have been giving this some more thoughts.

Glue is only needed when we delegate to a name server which is part of that subdomain, thus avoiding circular dependencies. But the NS that you have in your zone apex is not a delegation. The delegation for .at is in the root where the glue should be located.

The *.nic.at and *.univie.ac.at can be resolved without the corresponding glue for .at, because if the resolver have reached this zone then it can continue querying the subdomains.

Conclusion: The extra glue that you have in your zone is occluded by the delegations to nic.at and ac.at.

Is it ok to mark these as occluded data?

Is there any benefits of having extra glue for the NS in the zone apex?

// Rickard




More information about the Opendnssec-user mailing list