[Opendnssec-user] occluded data?
Michael Braunoeder
mib at nic.at
Mon Nov 22 09:45:06 UTC 2010
Hi Rickard,
Am 20.11.2010 10:03, schrieb Rickard Bellgrim:
>
> On 19 nov 2010, at 15.55, Michael Braunoeder wrote:
>
>> The zonefile looks like this:
>>
>> at. 172800 IN NS d.nic.at.
>> at. 172800 IN NS j.nic.at.
>> at. 172800 IN NS n.nic.at.
>> at. 172800 IN NS ns1.univie.ac.at.
>> at. 172800 IN NS ns2.univie.ac.at.
>> at. 172800 IN NS ns9.univie.ac.at.
>> at. 172800 IN NS ns-uk.nic.at.
>>
>> and contains the corresponding A and AAAA glue records.
>>
>> From my point of view, this is a valid setup or do I miss something?
>
> Sorry for the spamming, but I have been giving this some more thoughts.
> Glue is only needed when we delegate to a name server which is part of that subdomain, thus avoiding circular dependencies. But the NS that you have in your zone apex is not a delegation. The delegation for .at is in the root where the glue should be located.
>
> The *.nic.at and *.univie.ac.at can be resolved without the corresponding glue for .at, because if the resolver have reached this zone then it can continue querying the subdomains.
> Conclusion: The extra glue that you have in your zone is occluded by the delegations to nic.at and ac.at.
>
> Is it ok to mark these as occluded data?
I think you are right, this sounds ok for me.
> Is there any benefits of having extra glue for the NS in the zone apex?
I will discuss this with our guys who generate the zonefile whats the
reason why we have this extra data in the zonefile.
Best,
Michael
More information about the Opendnssec-user
mailing list