On Tue, Apr 25, 2023 at 08:43:26PM +0200, Gerald Galster via Postfix-users
wrote:
> > ; Delegation NS
> > eurobank-direktna.rs. IN NS ns1.eurobank.rs. ; AD=0
> > eurobank-direktna.rs. IN NS ns2.eurobank.rs. ; AD=0
> > eurobank-direktna.rs. IN NS ns3.eurobank.rs. ; AD=0
> >
> > ; Authoritative NS
> > eurobank-direktna.rs. IN NS bgdit01edns01.eurobank.rs.
> >
> > The latter host does not exist:
> >
> > [...]
> >
> > Once BIND learns the authoritative NS, the domain is bricked until that
> > data times out.
>
> Is that implementation specific? It doesn't seem to be the case with unbound.
Some resolvers are "parent-centric" and some "child-centric". The child
NS records are de jure more authoritative.
> It probably works because the NS records are already provided
> by the .rs tld nameservers:
That's typically the initial state.
> ;; QUESTION SECTION:
> ;eurobank-direktna.rs. IN NS
>
> ;; ANSWER SECTION:
> eurobank-direktna.rs. 3600 IN NS bgdit01edns01.eurobank.rs.
>
> This is obviously wrong, but why should a resolver query
> @ns1.eurobank.rs for eurobank-direktna.rs nameservers as
> this information is already known.
This can happen in a variety of ways. Sometimes the child zone
"helpfully" includes NS records in the authority section along with
answers. Sometimes this happens when the delegation records are
being refreshed due to TTL expiration, and sometimes an explicit user
or application query for the NS records.
In any case BIND is "entitled" to prefer the child zone NS RR, which
then turns out to be unusable. The zone in question is misconfigured.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
