[dns-operations] delegation-only: How useful?

Dave Wilson richard.wilson at senokian.com
Tue Aug 19 15:34:35 UTC 2008

Hello all,

my apologies if I'm being dense, but lurking here a while suggests that 
Spreading the Clue is a good thing on this list, so maybe someone can 
spread some my way :-)

With all the recent hoo-hah I've decided to junk the out of date 
resolver left by my predecessor and replace it with a purpose-built 
machine running on OpenBSD, because that's what I know. Whilst going 
over the config files, I found the following snippet[0]:

zone "com" {
         type delegation-only;

zone "net" {
         type delegation-only;

<End paste>

Now having googled I found the page at
and so I get what it does, and why its useful. I also found
which suggests to me I shouldn't use such things if I don't truly 
understand them.

If its useful, then perhaps I should expand the list to cover more than 
just .com and .net, which I suspect are just there as examples. Indeed, 
perhaps the use of root-delegation-only is best, to keep things clean 
and tidy. However, the first page I linked suggests that there are 
exceptions, and as the datestamp on the page is October 2003 the list of 
exceptions I should use may well have changed, as pointed to by the 
second link. Most importantly, I think I have learnt enough to know that 
if I screw it up, I will most likely cause problems for those using the 
resolver. As such, I am unsure how I should proceed. Is there a 
canonical list of which tlds should be excepted from 
root-delegation-only that I should have found?

More importantly perhaps, is there a source of information and advice 
with respect to best practices and conventions for running DNS servers 
that I should have checked before bugging you guys with my daft 
questions? So far I've found
but it didn't address this particular issue.


Dave Wilson,
Systems Admin,
Senokian Solutions.

PS: pasting big URLs into emails is annoying, but when I've used things 
like tinyurl before on mailing lists, people have complained that they 
can't see where links are going. Is there an accepted ettiquette here?

[0] Taken from the default OpenBSD named.conf file,

More information about the dns-operations mailing list