[Pdns-users] Recursor problem when zone has no NS records
Derrik Pates
demon at devrandom.net
Wed Jun 4 18:30:43 UTC 2008
All:
A customer has recently led me to discover that pdns_recursor, when
performing a recursive query, such as looking for a 'A' record for the
likes of 119.177.179.77.zen.spamhaus.org, times out and fails due to the
fact that the 'zen.spamhaus.org' contains no NS records at all. If I
query for NS records, I just get the SOA (as is usual for the circumstance).
There are, of course, NS records to indicate the referral at the parent
server, but for apparent "security" purposes, none are indicated in the
zone itself. Running the same query against a BIND-based recursor gets
correct results, along with an authority section listing several of the
nameservers.
Can anything be done to mitigate issues like this, where someone either
forgets, or in a misguided attempt at improving "security", doesn't list
their NSes like they're supposed to? I haven't tried a variety of other
nameservers, but BIND at least just seems to assume the nameservers from
the parent zone are, in fact, the ones you wish to keep if the zone
doesn't include any.
Regards,
--
Derrik Pates
demon at devrandom.net
More information about the Pdns-users
mailing list