1. delegation 返答
Contents
返答の形式 DNS/RFC/1035/4
/DJB 5つのDNS返答: http://djbdns.qmail.jp/djbdns/notes/type.html には
RCODE NOERRORの返答; authority section に NS レコードが含まれていて SOA レコードは含まれていないとき
とある。さらに、以下の状況だと考えられる。
- header中のAA flag は0, Answer Section は空である。
- Authority SectionのNSレコードのラベルは問い合せ名の真のsuffixである。
これらをすべて満足していても、毒(偽返答)である可能性がある。NSを問い合せしなおすなどの対策が望ましい。 -- ToshinoriMaeno 2015-09-24 08:54:25
DNS/1/資源レコード/NS/出現場所 DNS/返答/返答中のNS
2. delegation
delegation と ../referral を混同したような記述もある。
%grep -2 -n delegate rfc1034.txt 1030- 1031-The class partition is simple. The database for any class is organized, 1032:delegated, and maintained separately from all other classes. Since, by 1033-convention, the name spaces are the same for all classes, the separate 1034-classes can be thought of as an array of parallel namespace trees. Note -- 1065-a subtree. Once an organization controls its own zone it can 1066-unilaterally change the data in the zone, grow new tree sections 1067:connected to the zone, delete existing nodes, or delegate new subzones 1068-under its zone. 1069- -- 1082- as part of the authoritative data). 1083- 1084: - Data that describes delegated subzones, i.e., cuts around the 1085- bottom of the zone. 1086- -- 2945- 2946- Describes the registration policies used by the NIC to 2947: administer the top level domains and delegate subzones.
%grep -2 -n delegation rfc1034.txt ~ 1069- 1070-If the organization has substructure, it may want to make further 1071:internal partitions to achieve nested delegations of name space control. 1072-In some cases, such divisions are made purely to make database 1073-maintenance more convenient. -- 1140-When some organization wants to control its own domain, the first step 1141-is to identify the proper parent zone, and get the parent zone's owners 1142:to agree to the delegation of control. While there are no particular 1143-technical constraints dealing with where in the tree this can be done, 1144-there are some administrative groupings discussed in [RFC-1032] which -- 1160-using limited transatlantic bandwidth. 1161- 1162:As the last installation step, the delegation NS RRs and glue RRs 1163:necessary to make the delegation effective should be added to the parent 1164-zone. The administrators of both zones should insure that the NS and 1165-glue RRs which mark both sides of the cut are consistent and remain so. -- 1354- 4. Start matching down in the cache. If QNAME is found in the 1355- cache, copy all RRs attached to it that match QTYPE into the 1356: answer section. If there was no delegation from 1357- authoritative data, look for the best one from the cache, and 1358- put it in the authority section. Go to step 6. -- 1404-Wildcard RRs do not apply: 1405- 1406: - When the query is in another zone. That is, delegation cancels 1407- the wildcard defaults. 1408- -- 1864- the client. 1865- 1866: b. if the response contains a better delegation to other 1867: servers, cache the delegation information, and go to 1868- step 2. 1869- -- 1964-greater than zero. 1965- 1966:If the response shows a delegation, the resolver should check to see 1967:that the delegation is "closer" to the answer than the servers in SLIST 1968-are. This can be done by comparing the match count in SLIST with that 1969:computed from SNAME and the NS RRs in the delegation. If not, the reply 1970:is bogus and should be ignored. If the delegation is valid the NS 1971:delegation RRs and any address RRs for the servers should be cached. 1972-The name servers are entered in the SLIST, and the search is restarted. 1973- -- 2083-forces the TTL of all authoritative RRs to be at least the MINIMUM field 2084-of the SOA, here 86400 seconds, or one day. The NS RRs marking 2085:delegation of the MIL and EDU domains, together with the glue RRs for 2086-the servers host addresses, are not part of the authoritative data in 2087-the zone, and hence have explicit TTLs. -- 2667- 2668-The resolver would notice that the information in the response gave a 2669:closer delegation to ISI.EDU than its existing SLIST (since it matches 2670-three labels). The resolver would then cache the information in this 2671-response and use it to set up a new SLIST:
3. SOA record
delegation返答にはSOAは現れないということの傍証 -- ToshinoriMaeno 2018-11-20 08:31:47
RFC 1034
The method is that a name server may add an SOA RR to the additional section of a response when that response is authoritative. The SOA must be that of the zone which was the source of the authoritative data in the answer section, or name error if applicable. The MINIMUM field of the SOA controls the length of time that the negative result may be cached. Note that in some circumstances, the answer section may contain multiple owner names. In this case, the SOA mechanism should only be used for the data which matches QNAME, which is the only authoritative data in this section.