Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

NIOS DNS DHCP IPAM

Reply

Issues with 3rd party vendor support regarding delegations....

Authority
Posts: 34
1537     0

Is there a way to add NS pointers in parents parent zone via Infoblox?

 

A vendors support require a CNAME record validation to permit setup of an account 

Domain "example.com" managed by our NS plus a partner NS (all auth, no recursion) 

Subdomain "sub1.example.com" managed by our NS only

Subdomain "sub2.sub1.example.com" managed on our NS only  

CNAME "record.sub2.sub1.example.com" in it's zone, on our NS only 

 

Vendor support complains they cannot approve config on their side because partners NSx doesn't know "record.sub2.sub1.example.com" nor NS of "sub2.sub1.example.com" 

 

Been at this for a month by now debating with vendors support and I'm fed up, so is there a way for me to add either the CNAME as dotted record in "example.com" or NS pointers for "sub2.sub1.example.com" in the parents parent "example.com".? 

 

The alternative as I see it, I'm done arguing at this point, is to go back to my internal customer and inform they have to choose another vendor. 

 

 

Re: Issues with 3rd party vendor support regarding delegations....

Superuser
Posts: 47
1538     0

Based upon your description, this is what we interpret to be your description:

Structure:
example.com
    NS ns1.example.com
    NS ns2.externalexample.com
    A ns1.example.com 1.1.1.1

 

    sub1.example.com
         NS ns1.sub1.example.com
         A ns1.sub1.example.com 1.1.1.1

 

           sub2.sub1.example.com
                NS ns1.sub2.sub1.example.com
                A ns1.sub2.sub1.example.com 1.1.1.1
                CNAME record.sub2.sub1.example.com whatever.domain.com

 

Is this correct?

 

The vendor complains that since "example.com" also has "NS ns2.externalexample.com" it should also provide the answer for "CNAME record.sub2.sub1.example.com"

 

In our view, this is incorrect. The subzone sub1.example.com, going by its NS record, is only served by ns1.sub1.example.com. The next subzone sub2.sub1.example.com, going by its NS record, is only served by ns1.sub2.sub1.example.com.
ns2.externalexample.com should only respond with authoritative responses for the zones where it is listed as the nameserver.

 

Re: Issues with 3rd party vendor support regarding delegations....

Authority
Posts: 34
1538     0

Thanks for responding tlee! 

Yes that's what the vendor support is saying and yes I know that's incorrect, but that does unfortunately not help me here 

 

Their (3rd party) validation tool is incomplete, pulling NS of example.com and query all for record.sub2.sub1.example.com

The query response is correct with NS including additional section with ip of sub1.example.com , the tool consider this response invalid

 

I've argued with vendor support for a month and they keep replying the tool says wrong so they can't add the config. 

I know the root cause and I know the solution but it's out of my reach, hence asking it's posisble with a workaround using Infoblox to add a dotted record record.sub2.sub1 in zone example.com, to get ns2.external.example.com respond the way the tool anticipate.  

 

My other two option is to either tell my internal customer to throw away their investment of their new service, or add the zone on ns ns2.external.example.com to additional cost and administratorn for my team as that NS is an external vendor hosting providing additional DDoS protection 

 

 

 

 

 

Showing results for 
Search instead for 
Did you mean: 

Recommended for You