On Fri, Dec 05, 2014 at 03:49:59PM +0300, Alexei Malinin wrote: > > I would like to resolve this problem: > - I have a child DNS zone served by my ISP slave name server; > - the parent zone is served by my ISP master name server;
It appears to me what you refer to as "master name server" above are also part of the "slave name server" set? Parent zone: --- $ dig +nssearch 66.233.212.in-addr.arpa. SOA ns1.agtel.net. hostmaster.agtel.net. 2014120402 86400 3600 604800 86400 from server ns2.agtel.net in 22 ms. SOA ns1.agtel.net. hostmaster.agtel.net. 2014120402 86400 3600 604800 86400 from server ns1.agtel.net in 24 ms. --- Child zone: --- $ dig +nssearch 0-15.66.233.212.in-addr.arpa. SOA ns.amt.ru. hostmaster.amt.ru. 2014120415 3600 1800 4233600 3600 from server ns8-l5.nic.ru in 106 ms. SOA ns.amt.ru. hostmaster.amt.ru. 2014120415 3600 1800 4233600 3600 from server ns54-cloud.nic.ru in 53 ms. SOA ns.amt.ru. hostmaster.amt.ru. 2014120415 3600 1800 4233600 3600 from server ns1.agtel.net in 68 ms. SOA ns.amt.ru. hostmaster.amt.ru. 2014120415 3600 1800 4233600 3600 from server ns58-cloud.nic.ru in 86 ms. SOA ns.amt.ru. hostmaster.amt.ru. 2014120415 3600 1800 4233600 3600 from server ns2.agtel.net in 47 ms. SOA ns.amt.ru. hostmaster.amt.ru. 2014120415 3600 1800 4233600 3600 from server ns4-l5.nic.ru in 51 ms. --- Basically you would want to compare the NS records reported by one of the hosts in the first set, with the NS records reported by one of the hosts in the second set. This only compares the delegation NS records with the authoritative NS records though, not glue (see below). > > - the question is - how and with what tools (dig, host, nslookup, or > maybe C or Perl libs) can I verify the NS glue records in the parent > zone of my ISP (zone transfers are denied)? > My first reaction is that I am not sure what you mean by "NS glue records". There are "NS records" and then there are "glue records". The NS records in the parent zone may also be called "delegation records". Actual "glue records" (A/AAAA) are only needed when the NS records contain names that are inside the zone they are authoritative for. These should only exist in the parent zone for the actual names mentioned in the NS records. We can take ns1.agtel.net as an example: --- $ dig +trace ns1.agtel.net [...] agtel.net. 172800 IN NS ns2.agtel.net. agtel.net. 172800 IN NS ns1.agtel.net. ;; Received 95 bytes from 192.5.6.30#53(a.gtld-servers.net) in 183 ms [...] --- In this case, a.gtld-servers.net delegates agtel.net to ns1.agtel.net. Since ns1.agtel.net is inside the zone agtel.net, a glue record is necessary in the parent zone, we can look it up like so: --- dig @a.gtld-servers.net agtel.net [...] ;; ADDITIONAL SECTION: ns2.agtel.net. 172800 IN A 212.233.88.2 ns1.agtel.net. 172800 IN A 212.111.64.132 [...] --- The ADDITIONAL SECTION contains the glue records for the nameservers in agtel.net. And they have nothing to do with your reverse 0-15.66.233.212.in-addr.arpa zone. To verify glue you would need to check this for the other nameservers mentioned in NS records for your reverse zone. > > I found some tools in the Internet (for example > http://www.intodns.com/0-15.66.233.212.in-addr.arpa, see "Missing > nameservers reported by parent") but these are inconvinient, I would > like to use native OS tools (or tools from ports). > Based on the contents of the result field ("OK. All NS records are the same at the parent and at your nameservers.") It appears to me this test compares your authoritative NS records with the delegation NS records in the parent. It does not look like it has anything to do with glue records. Sorry if all this is obvious to you and I am missing the bigger picture. Just trying to understand what you are asking for :). Regards, Patrik Lundin
