[dns-operations] DNS trust dependencies for TLDs
Duane Wessels
wessels at dns-oarc.net
Sat Jun 13 00:03:11 UTC 2009
On Fri, 12 Jun 2009, Matthew Dempsky wrote:
> On Fri, Jun 12, 2009 at 11:40 AM, Florian Weimer<fw at deneb.enyo.de> wrote:
>> .nl is not in the official root-delegation-only list, so .nl could
>> turn unreachable for some folks (including this mailing list) if you
>> use this short-cut.
>>
>> I really don't understand why ISC still advertizes this feature, after
>> it has been demonstrated that it is prone to DoS attacks. *sigh*
>
> Can you elaborate on this issue, please? I'm not familiar with the
> problem scenario you're describing.
I'll try. I'm sure someone will correct me if I get it wrong.
Not too long after Sitefinder appeared (Sept 2003), some new features
appeared in BIND: delegation-only and root-delegation-only.
When a BIND user enables root-delegation-only, BIND accepts only
delegation responses from TLDs and the roots. Any non-delegation
RRs are ignored. The goal is to discourage wildcards in top level
zones.
Some TLDs are known to have non-delegations in their zone files.
ISC publishes a list of "trustworthy" TLDs with non-delegation
records in their zones. This is the root-delegation-only exclude
list. You can find it at https://www.isc.org/node/355
Over time some TLDs that are/were not in the recommended exclude
list have added non-delegation records to their zone. One that I
remember was .MX. I seem to recall there was another, more recently,
perhaps related to DNSSEC.
I beleive you suggested:
There's no need to create a nl-ns.nl zone: just do like .mx and .se.
And Florian's point is that if .NL does this, and since they are
not in the ISC-suggested exclude list, anyone that enabled
root-delegation-only will suddenly no longer be able to resolve
names in .NL.
DW
More information about the dns-operations
mailing list