[Opendnssec-user] occluded data?
Rickard Bellgrim
rickard.bellgrim at iis.se
Sat Nov 20 09:03:28 UTC 2010
On 19 nov 2010, at 15.55, Michael Braunoeder wrote:
> The zonefile looks like this:
>
> at. 172800 IN NS d.nic.at.
> at. 172800 IN NS j.nic.at.
> at. 172800 IN NS n.nic.at.
> at. 172800 IN NS ns1.univie.ac.at.
> at. 172800 IN NS ns2.univie.ac.at.
> at. 172800 IN NS ns9.univie.ac.at.
> at. 172800 IN NS ns-uk.nic.at.
>
> and contains the corresponding A and AAAA glue records.
>
> From my point of view, this is a valid setup or do I miss something?
Sorry for the spamming, but I have been giving this some more thoughts.
Glue is only needed when we delegate to a name server which is part of that subdomain, thus avoiding circular dependencies. But the NS that you have in your zone apex is not a delegation. The delegation for .at is in the root where the glue should be located.
The *.nic.at and *.univie.ac.at can be resolved without the corresponding glue for .at, because if the resolver have reached this zone then it can continue querying the subdomains.
Conclusion: The extra glue that you have in your zone is occluded by the delegations to nic.at and ac.at.
Is it ok to mark these as occluded data?
Is there any benefits of having extra glue for the NS in the zone apex?
// Rickard
More information about the Opendnssec-user
mailing list