[svlug] BIND9 on EC2

Rick Moen rick at svlug.org
Sun Nov 30 17:41:06 PST 2014


Scott wrote:

>> I forgot to mention, the first time, that the roster of NS lines in the
>> master namserver's zonefile (the in-zone list) must always be changed in
>> lockstep with the domain's namserver list at your registrar.  The in-zone 
>> set of NS lines should be checked to ensure that they always match the NS
>> records in the domain's parent zone.
> 
> I'm not sure what you mean here?

Any time you change the Name Server entries in your registrar's domain record
(for your domain), you should change them exactly the same way in your
zonefile's NS lines.  Any time you change the set of NS lines in your
zonefile, you should change the Name Server entries in your registrar's
domain record (for your domain) to match.

Any such changes you make in your registrar's domain records get reflected
within (typically) a few minutes in whois output.  Here is the relevant
whois section for domain svlug.org at the moment:

$ whois svlug.org | grep -i 'Name server'
Name Server:NS1.SVLUG.ORG
Name Server:NS2.SVLUG.ORG
Name Server:NS3.SVLUG.ORG
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
Name Server: 
$

Here are the svlug.org zonefile's NS lines, gathered by querying the master
nameserver using 'dig':

$ dig -t ns svlug.org @ns1.svlug.org +short
ns1.svlug.org.
ns2.svlug.org.
ns3.svlug.org.
$ 


Got it?  Those are the same three entries.  (BTW, order is NOT significant.)


I also referred to the _former_ information (the 'Name Server' lines shown
by whois, and shown in your registrar's control-panel thingie, whatever it
is (and each registrar has a different thingie) as NS records in the parent
zone.  I meant that _literally_.  The parent zone of svlug.org is the org
zone (the org TLD).  Any time you edit Name Server information via your
domain registrar's administrative thing, you are literally (indirectly)
submitting zonefile updates that change NS lines _in the zonefile of org_ 
itself.  

You can verify this by using dig to, first, ask what are the authoritative
nameservers for the org zone, and hten asking one of those nameservers if it
has any NS lines concerning your domain in its records concerning the org
domain.  Watch how you do this:

$ dig -t ns org. +short
a0.org.afilias-nst.info.
a2.org.afilias-nst.info.
b0.org.afilias-nst.org.
b2.org.afilias-nst.org.
c0.org.afilias-nst.info.
d0.org.afilias-nst.org.
$

Those are the six current authoritative nameservers for org.  (Each is a 
geoIP cluster of some sort, not a single machine.)  Let's ask the first of
them what NS records concerning svlug.org it has:

$ dig -t ns svlug.org @a0.org.afilias-nst.info.

[...]
;; AUTHORITY SECTION:
svlug.org.		86400	IN	NS	ns1.svlug.org.
svlug.org.		86400	IN	NS	ns3.svlug.org.
svlug.org.		86400	IN	NS	ns2.svlug.org.

;; ADDITIONAL SECTION:
ns1.svlug.org.		86400	IN	A	64.62.190.98
ns2.svlug.org.		86400	IN	A	198.144.194.12
ns3.svlug.org.		86400	IN	A	198.144.195.186

[...]
$ 

Here, we have directly queried the NS lines concerning the svlug.org
domain within org's zonefile.


> > What?

> See Below (I pasted the wrong link last time)
> 
> https://www.dropbox.com/s/56jrykozuqt4ptm/fat_cow_nameservers.png?dl=0
> 
> This is what I'm looking at. There's nothing more to deal with from them.

Umm.... I don't know what else you expected to see.  That control allows you
to repoint the domain to the authoritative namservers of your choosing.
That's exactly what you need on the domain registrar end - no more, no less.


Any other questions?  If you were wondering how to use dig to query (1)
your domain's in-zone NS lines (those you edit directly on what you will be
using as your master nameserver) and (2) parent-zone NS likes concerning
your domain, the above shows you how to do it.  I believe I covered pretty
much the entire process in the required order.  So, do that.







More information about the svlug mailing list