NS Records masked due to aktive child zone

[HB9HIL]

Hello guys

I'm still learning about DNS and Netbox DNS in general, but I currently have an issue which is totally unclear for me.

In my current setup I've created a zone

Zone: example.com
Nameserver: ns1.example.com, ns2.example.com
View: public_view

And an internal zone which is managed by another set of nameservers
Zone: intern.example.com
Nameserver: ns1.intern.example.com, ns2.intern.example.com
View: internal_view

Since we want DNSSEC enabled for the internal zone I created (besides the necessary DNSSEC Conf) a DS record in example.com which was recognized by Netbox DNS as Delegation Record. So far so good

I expected Netbox DNS to create a NS Record in the parent zone for the internal zone

# Zone: example.com
intern        IN NS  ns1.intern.example.com.
ns1.intern    IN A   10.0.0.1

But Netbox DNS did not create such a record. Okay so I created one manually.. But besides the fact that I can't get this record in my zonefile with my Ansible Stuff I got a warning in Netbox and the record is not recognized as Delegation record. May there is something badly wrong in my logic or I may found a bug regarding the delegation record feature?

[peteeckel]

Hi @HB9HIL,

thanks for raising this, as it sheds light on an issue that is in the works, but not currently implemented (it's more complex than it looks at first sight).

You currently have a situation where you need a so-called "glue record", as the nameservers in your internal zone have names in the same zone, which technically means that you have a hen-and-egg problem: The zone can't be resolved because ethe name servers aren't known, and the nameservers can't be found because their address record is in the zone that can't be resolved.

The solution are the aforementioned "glue records", which are technically not belonging in the parent zone but need to be there anyway (and the DNS resolvers do the right thing). You set them up correctly, the warning is misleading in this case and can safely be ignored - everything is fine.

To get rid of the warning or even generate glue records automatically, NetBox DNS needs to do more evaluation of parent/child zone relationships. There are some corner cases that need to be taken care of, but it's definitely on my list and will eventually be implemented - with DNSSEC and NetBox 4.3 out of the way now it will be one of the next things planned for this year.

The logic that needs to be implemented is:

• Detect whether a child zone of a zone present in NetBox DNS is in NetBox DNS as well
• If so, detect whether any name server for the child zone has a name within the same child zone (the "glue record" situation)
• Add the NS record for all name servers that are within the child zone to the child zone
• Add delegation and glue records to the parent zone as well
• Stop complaining about glue and NS records being masked

Currently you're safe if you leave your records as they are and just ignore the warning - after all it's just a warning and you know you did the right thing, so that's fine.

[HB9HIL]

Thank you very much!

[peteeckel]

One question: What does "I can't get this record in my zonefile with my Ansible Stuff" mean? The records are in the zone, and so they should be exportable just like any other record - where's the problem?

[HB9HIL]

I just found out that this is an issue of my jinja template where I filtered the records in the most silly way :-D No issue here. But thank you very very much for answering in such a detailed way. I really appreciate it :)

[peteeckel]

What version of NetBox DNS are you currently using?

I just checked with the latest version 1.3.0 (which is functionally identical to 1.2.11 in that respect), and I don't see the warning for neither for the NS nor for the glue record.

[HB9HIL]

1.2.7. may I should upgrade

[peteeckel]

At least it won't hurt, although I couldn't find a change between 1.2.7 and 1.2.11 that is suspicious of causing this.

If it's still present with 1.2.11, we'll check more closely.

[HB9HIL]

Just checked and yes the warning is present in 1.2.11 :)

[peteeckel]

OK, got it ... after reading it for what feels like the 10th time.

Zone: example.com
Nameserver: ns1.example.com, ns2.example.com
View: public_view

And an internal zone which is managed by another set of nameservers
Zone: intern.example.com
Nameserver: ns1.intern.example.com, ns2.intern.example.com
View: internal_view

Your zones are unrelated, intern.example.com is not a child zone of example.com, because they are in different views.

The warning is definitely wrong for that reason, as the record is not masked by a child zone, as there is no child zone. I'll open an issue for this shortly.

But your configuration is likely incorrect as well, as you are attempting to delegate from one view to another one. Views are best understood as namespaces - like you'd use for split horizon DNS. A zone in view internal_view does not have any relationship to one in view public_view, and a client that's able to query for one will not see the other.

And, for good measure, I found another bug while reproducing this one, which will yield a nice little issue in it's own right :-)

[peteeckel]

@HB9HIL I just published 1.2.12 that takes care for it for those who are not on NetBox 4.3 yet.

The real fix for the second issue will be in 1.3.1, which is due soon (waiting for NetBox 4.3.1 to be released to avoid late collisions :-) )

[HB9HIL]

thx :)

[peteeckel]

Gern geschehen :-)

This discussion made me aware of a larger issue, i.e. the problem with automatically generated PTR records in combination with glue records. That actually caused an internal server error (which is always bad), and fixing it was not as simple as it looked at first sight ... so in 1.2.12 I just covered it by catching the exception at the right point, but that's not a real fix ...

1.3.1 is out now as well, as NetBox 4.3.1 will probably hit the streets any minute now.