[dns-operations] When TLDs have apex A records
Calvin Browne
calvin at orange-tree.alt.za
Sun Jul 5 07:15:58 UTC 2009
On Thu, 2009-07-02 at 09:26 +0000,
dns-operations-request at lists.dns-oarc.net wrote:
> From: Duane Wessels <wessels at dns-oarc.net>
> Recently someone asked me if I knew of any problems when a TLD zone
> has
> an A record at its apex. I did a quick scan and found the following:
>
> AC has address 193.223.78.210
<SNIP>
> WS has address 63.101.245.10
>
> I can imagine that the primary motivation doing this is so that
> users can enter http://tld/ in a browser and find themselves at an
> appropriate page.
>
> But I expect the user's domain search list takes priority if one
> of the searched domains has a name matching the TLD.
>
> But I'm wondering if there are any negative side-effects?
>
> Do these TLDs receive traffic that they shouldn't or don't want
> because of the apex A record? Maybe some mis-directed SMTP?
>
> Duane W.
As someone who helps to look after a (relatively) popular 2nd level with
an A record at its apex, I can stongly warn against it. This is of
course a different scenario from the tld example above but some of the
lessons may apply.
I've encountered huge problems when coming to deal with SPAM botnets -
they like short return address (ie you make yourself a target for
backscatter) - they do things like look up the smallest valid MX in
their parent tree and try and relay through that etc etc.
Also, your children often misconfigure and try and use your
infrastructure.
My advice, based on my experience would be to stay away from this path -
much pain lies here.
regards
--Calvin
More information about the dns-operations
mailing list