[dns-operations] delegation-only: How useful?

Florian Weimer fweimer at bfk.de
Wed Aug 20 07:28:03 UTC 2008

* Dave Wilson:

> If its useful, then perhaps I should expand the list to cover more
> than just .com and .net, which I suspect are just there as
> examples.

Absolutely not.  Even .COM and .NET are by no means delegation-only.
Several ccTLDs which are not listed in ISC's root-delegation-only
exclude list have _nicname._tcp/IN/SRV entries to help WHOIS clients.
Making them delegation-only breaks this functionality.  And guess what
happens if a delegation-only zone is served from name servers whose
address records are in-zone and not delegated.

BIND's delegation-only was a short-term response to Verisign's
Sitefinder experiment, and may have helped to end this practice at the
TLD level.  But from a technical perspective, it is risky and it
limits legitimate zone changes by administrators of delegation-only
zones.  It has also failed to stop the general adoption of ad
injection through DNS manipulation.

Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

More information about the dns-operations mailing list