[dns-operations] When TLDs have apex A records

Calvin Browne calvin at orange-tree.alt.za
Sun Jul 5 07:15:58 UTC 2009

On Thu, 2009-07-02 at 09:26 +0000,
dns-operations-request at lists.dns-oarc.net wrote:
> From: Duane Wessels <wessels at dns-oarc.net>
> Recently someone asked me if I knew of any problems when a TLD zone
> has
> an A record at its apex.  I did a quick scan and found the following:
> AC has address
> WS has address
> I can imagine that the primary motivation doing this is so that
> users can enter http://tld/ in a browser and find themselves at an
> appropriate page.
> But I expect the user's domain search list takes priority if one
> of the searched domains has a name matching the TLD.
> But I'm wondering if there are any negative side-effects?
> Do these TLDs receive traffic that they shouldn't or don't want
> because of the apex A record?  Maybe some mis-directed SMTP?
> Duane W.

As someone who helps to look after a (relatively) popular 2nd level with
an A record at its apex, I can stongly warn against it. This is of
course a different scenario from the tld example above but some of the
lessons may apply.

I've encountered huge problems when coming to deal with SPAM botnets -
they like short return address (ie you make yourself a target for
backscatter) - they do things like look up the smallest valid MX in
their parent tree and try and relay through that etc etc.
Also, your children often misconfigure and try and use your

My advice, based on my experience would be to stay away from this path -
much pain lies here.



More information about the dns-operations mailing list