Join Log in
Score:0
vinz avatar Server

Bailiwick and "Sibling domain" definition

gd flag
vinz

If I do the following command dig allcosts.net @g.gtld-servers.net, I will get:

;; QUESTION SECTION:
;allcosts.net.          IN  A

;; AUTHORITY SECTION:
allcosts.net.       172800  IN  NS  ns-22.awsdns-02.com.
allcosts.net.       172800  IN  NS  ns-912.awsdns-50.net.
allcosts.net.       172800  IN  NS  ns-1834.awsdns-37.co.uk.
allcosts.net.       172800  IN  NS  ns-1233.awsdns-26.org.

;; ADDITIONAL SECTION:
ns-912.awsdns-50.net.   172800  IN  A   205.251.195.144

According to amazon (link here) ".net customers actually get the benefit of two in-bailiwick glue records", meaning the ADDITIONAL is considered as in-bailiwick.

I'm trying to understand why "ns-912.awsdns-50.net." is in-bailiwick here.

The RFC 8499 show an example if a similar situation:

   Delegation |Parent|Name Server Name  | Type
   -----------+------+------------------+-----------------------------
   example.org| org  |ns.ietf.org       |in-bailiwick / sibling domain

The delegation is for allcosts.net, the parent is net and the name server ns-912.awsdns-50.net.. Following the example from the RFC, that would mean it is a sibling domain.

Here is the definition of a sibling domain:

Sibling domain: a name server's name that is either subordinate
         to or (rarely) the same as the zone origin and not subordinate
         to or the same as the owner name of the NS resource records.
         Glue records for sibling domains are allowed, but not
         necessary.

If I understand, they both have the same zone origin (net) and not subordinate/same owner (allcosts.net vs ns-912.awsdns-50.net), making them sibling. Did I make correct assumptions here?

19
0 + 0
Score:1
Patrick Mevzek avatar Server
cn flag
Patrick Mevzek

I'm trying to understand why "ns-912.awsdns-50.net." is in-bailiwick here.

Because it is under .net TLD and you are asking for a .net domain name.

But even then, as the RFC states, the glues are not strictly necessary because the nameserver name, while under .net is under a different domain name than the one you queried for. There is hence no logical problem in doing another query to retrieve this nameserver IP address, but the authoritative nameserver is trying to be helpful by providing it to you immediately in ADDITIONAL section.

This may not be similar in other TLDs.

Your assumptions are correct, except maybe this part which is unclear at least:

meaning the ADDITIONAL is considered as in-bailiwick.

It is not because something is in ADDITIONAL that it is in-bailiwick or not.

ADDITIONAL section was designed to carry whatever useful extra data the resolver wish to send without having it considered authoritative (and not signed by DNSSEC). Lot of things could be there, but past events showed that recursive nameservers should be very cautious to take information from that section, so it should be used only when strictly necessary because no other path, which means basically this is for glues (in-bailiwick and not sibling). So glues will be in ADDITIONAL section, but not everything in ADDITIONAL section is necessarily glues all the time.

0 + 0
vinz avatar
gd flag
vinz
That makes a lot of sense. When you say "(in-bailick and not sibling)", does it mean sibling should not be consider if possible? I do not see recommendations in the RFCs about sibling specifically?
0
Reply
Patrick Mevzek avatar
cn flag
Patrick Mevzek
I meant: if you have `foo.example` using `ns.bar.example` as nameserver, both are internal to the same registry (same TLD), so "in-bailiwick" both of them for `net` for `bar.example` is only a sibling of `foo.example` it is not in-bailiwick of it. So exactly as your example, strictly speaking, when querying for `foo.example` at `example` authoritative nameserver, ADDITIONAL with A/AAAA records for `ns.bar.example` are not mandatory, but can happen. If the nameserver was `ns.foo.example` then those A/AAAA records (glues) would be mandatory in ADDITIONAL.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.