[dns-operations] When TLDs have apex A records

Randy Bush randy at psg.com
Sat Jul 4 00:35:52 UTC 2009

>>>> I can imagine that the primary motivation doing this is so that
>>>> users can enter http://tld/ in a browser and find themselves at an
>>>> appropriate page.
>>> Or they have put wildcards in at the root.
>> i hear icann, at their meddling best, has now outlawed that.  so i
>> think i'll probably put one or two in when i get a spare moment.
> Didn't know you were such a fan of SiteFinder.

am not.  but icann is acting like the tsa.  someone had a bit of
explosive in their shoe, so shoes are now anathma.  as the joke goes,
luckily it was not a bomb in his undies.

> I gather you considered the IAB meddling when they posted
> http://www.iab.org/documents/docs/2003-09-20-dns-wildcards.html

i would make a change

    Proposed guideline: If you want to use wildcards in your zone and
    understand the risks, go ahead, but only do so with the informed
    consent of the entities that are delegated within your zone.

s/the entities/affected entities/

> More pragmatically, do you have substantive criticism of
> http://www.icann.org/en/committees/security/sac015.htm?

like the tsa, it goes from useful

    TLDs should refrain from using services that make use of wildcard
    services and synthesized DNS reponses.

to overly prescriptive

    Why Top Level Domains Should Not Use Wildcard Resource Records


More information about the dns-operations mailing list