[Opendnssec-user] occluded data?

Billy Glynn billy.glynn at domainregistry.ie
Wed Jan 26 12:36:48 UTC 2011

Hi Michael,

On 22/11/10 09:45, Michael Braunoeder wrote:
> Hi Rickard,
> Am 20.11.2010 10:03, schrieb Rickard Bellgrim:
>> On 19 nov 2010, at 15.55, Michael Braunoeder wrote:
>>> The zonefile looks like this:
>>> at.     172800  IN      NS      d.nic.at.
>>> at.     172800  IN      NS      j.nic.at.
>>> at.     172800  IN      NS      n.nic.at.
>>> at.     172800  IN      NS      ns1.univie.ac.at.
>>> at.     172800  IN      NS      ns2.univie.ac.at.
>>> at.     172800  IN      NS      ns9.univie.ac.at.
>>> at.     172800  IN      NS      ns-uk.nic.at.
>>> and contains the corresponding A and AAAA glue records.
>>>  From my point of view, this is a valid setup or do I miss something?
>> Sorry for the spamming, but I have been giving this some more thoughts.
>> Glue is only needed when we delegate to a name server which is part of
>> that subdomain, thus avoiding circular dependencies. But the NS that
>> you have in your zone apex is not a delegation. The delegation for .at
>> is in the root where the glue should be located.
>> The *.nic.at and *.univie.ac.at can be resolved without the
>> corresponding glue for .at, because if the resolver have reached this
>> zone then it can continue querying the subdomains.
>> Conclusion: The extra glue that you have in your zone is occluded by
>> the delegations to nic.at and ac.at.
>> Is it ok to mark these as occluded data?
> I think you are right, this sounds ok for me.
>> Is there any benefits of having extra glue for the NS in the zone apex?
> I will discuss this with our guys who generate the zonefile whats the
> reason why we have this extra data in the zonefile.

We have the same issue here.

What conclusion did you come to?

Best regards,


More information about the Opendnssec-user mailing list