DNS:为区域设置的 NS 名称是否必须与上游 TLD 服务器报告的 NS 名称相匹配?
我注意到,一些服务提供商正在为其客户的域运行 DNS 服务,其中为该区域设置了 NS 名称,并由权威名称服务器返回(在权限部分/NS 和 SOA 记录中),但与 NS 名称不匹配由上游服务器(例如 TLD 服务器)返回并用于查找。
示例:
$ dig the-domain-name-here.com NS
; <<>> DiG 9.4.2-P1 <<>> the-domain-name-here.com NS
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7844
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; QUESTION SECTION:
;the-domain-name-here.com. IN NS
;; ANSWER SECTION:
the-domain-name-here.com. 172370 IN NS ns1.service-provider-here.net.
the-domain-name-here.com. 172370 IN NS ns2.service-provider-here.net.
;; ADDITIONAL SECTION:
ns1.service-provider-here.net. 7200 IN A 192.168.100.1
ns2.service-provider-here.net. 7200 IN A 192.168.100.2
;; Query time: 65 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Wed Mar 11 19:44:00 2009
;; MSG SIZE rcvd: 118
$ dig @ns1.service-provider-here.net。 the-domain-name-here.com
; <<>> DiG 9.4.2-P1 <<>> @ns1.service-provider-here.net the-domain-name-here.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48010
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;the-domain-name-here.com. IN A
;; ANSWER SECTION:
the-domain-name-here.com. 86400 IN A 192.168.100.3
;; AUTHORITY SECTION:
the-domain-name-here.com. 86400 IN NS ns1.different-trade-name.net.
the-domain-name-here.com. 86400 IN NS ns2.different-trade-name.net.
;; Query time: 68 msec
;; SERVER: 192.168.100.1#53(192.168.100.1)
;; WHEN: Wed Mar 11 19:46:00 2009
;; MSG SIZE rcvd: 100
gTLD 服务器表示名称服务器是 ns1.service-provider-here.net,当我们在该服务器上查找名称时,它给出了权威答案,但泄漏了不同的 NS权威部分中的名称 (ns1. different-trade-name.net)。
有数千个域以这种方式配置。 它似乎不会造成任何问题,但它似乎是错误的。
这真的重要吗? 是否会出现解析器/客户端因此进行额外查找甚至无法解析名称的情况?
I've noticed that several service providers are operating DNS services for their clients' domains with NS names set for the zone and returned by the authoritative name server (in authority section / NS & SOA records) that don't match the NS names returned by the upstream server (e.g. TLD servers) and which were used for the lookup.
Example:
$ dig the-domain-name-here.com NS
; <<>> DiG 9.4.2-P1 <<>> the-domain-name-here.com NS
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7844
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; QUESTION SECTION:
;the-domain-name-here.com. IN NS
;; ANSWER SECTION:
the-domain-name-here.com. 172370 IN NS ns1.service-provider-here.net.
the-domain-name-here.com. 172370 IN NS ns2.service-provider-here.net.
;; ADDITIONAL SECTION:
ns1.service-provider-here.net. 7200 IN A 192.168.100.1
ns2.service-provider-here.net. 7200 IN A 192.168.100.2
;; Query time: 65 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Wed Mar 11 19:44:00 2009
;; MSG SIZE rcvd: 118
$ dig @ns1.service-provider-here.net. the-domain-name-here.com
; <<>> DiG 9.4.2-P1 <<>> @ns1.service-provider-here.net the-domain-name-here.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48010
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;the-domain-name-here.com. IN A
;; ANSWER SECTION:
the-domain-name-here.com. 86400 IN A 192.168.100.3
;; AUTHORITY SECTION:
the-domain-name-here.com. 86400 IN NS ns1.different-trade-name.net.
the-domain-name-here.com. 86400 IN NS ns2.different-trade-name.net.
;; Query time: 68 msec
;; SERVER: 192.168.100.1#53(192.168.100.1)
;; WHEN: Wed Mar 11 19:46:00 2009
;; MSG SIZE rcvd: 100
The gTLD servers say the name server is ns1.service-provider-here.net and when we lookup the name at that server, it gives an authoritative answer but leaks a different NS name in the authority section (ns1.different-trade-name.net).
There are thousands of domains configured in this way. It doesn't seem to cause any problems, but it seems so wrong.
Does this actually matter? Is there ever going to be a situation where resolvers/clients will do an extra lookup or even fail to resolve the name because of this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
嗯,答案取决于观点。
从技术上讲,毫无疑问,父级和区域之间的任何差异都是错误的。 它永远不应该发生(某些注册管理机构使用自动工具来检查,例如
.fr< 中的 Zonecheck /代码>)。实际上,这种情况经常发生。 最常见的原因是人们更改了其区域中的 NS 记录,却忘记告知注册管理机构(或注册商,如果注册管理机构强制您通过中间人)有关更改的信息。
真的有关系吗? 好吧,正如你所说,只要两个集合之间存在非空交集,它就应该起作用。 但依赖它是危险的,因为再进行一次更改,两组可能会完全分开。 因此,接受差异并不是一个好主意。
从法律上讲,子区域永远是正确的,父区域中的NS记录不具有权威性。 解析器必须用他们在子区域中找到的列表替换委托。
Well, the answer depends on the point of view.
Technically, there is no doubt that any discrepancy between the parent and the zone is wrong. It should never happen (some registries use automatic tools to check that, for instance Zonecheck in
.fr).Practically, it happens quite often. The most common cause is that people change the NS records in their zone and forget to tell the registry (or registrar, if the registry forces you to go through a middleman) about the change.
Does it really matter? Well, as you said, as long as there is a non-empty intersection between the two sets, it should work. But it is dangerous to rely on it since one more change and the two sets may be completely separated. So, it is not a good idea to accept a discrepancy.
Legally speaking, the child zone is always right, the NS records in the parent are not authoritative. Resolvers must replace the delegation by the list they find in the child zone.
如果父级具有引用该区域权威 DNS 服务器的有效记录,则解析应该大部分有效。
我可以想到至少一种情况,如果您有不同的记录和其他一些错误配置,它们可能会成为问题。
该问题与区域更新时名称服务器如何发出通知有关。 例如,当您在主 DNS 服务器上使用绑定时,您更新区域然后重新加载,绑定将向区域中列出的所有服务器发送更新通知。 如果他们是另一个权威服务器,在主区域中没有 NS 记录,那么它不会收到通知,并且会拥有较旧的数据。 如果父级指向该服务器未获取更新,那么您可能会遇到问题,因为该服务器将提供数据结果不足。
另外,请记住,存在“水平分割”DNS 之类的东西。 有时,您需要向网络内的内部主机提供与向公众显示的区域不同的视图。 当您比较名称服务器记录时,请确保从相同的角度查看该区域。
If the parent has valid records referring to DNS servers that are authoritative for the zone then resolution should mostly work.
I can think of at least one case where their might be an issue if you had different records and a couple other miss-configurations.
The issue would be related to how the name server sends out notifies when the zone updated. For example when you are using bind on the primary dns server, you update the zone and then reload, bind will send out update notifications to all the servers that are listed in the zone. If their was another authoritative server didn't have an NS record in the primary zone then it wouldn't get the notify and would have older data. If the parents where pointing at this server that isn't getting updates, then you could have problems because that server would be providing out of data results.
Also, keep in mind that there is such a thing as 'split-horizon' DNS. Sometimes you need to provide a different view of your zone to your internal hosts that are inside your network versues what you display to the public. When you are comparing the name server records make sure you viewing the zone from the same perspective.