[dns-operations] DNS trust dependencies for TLDs

Duane Wessels wessels at dns-oarc.net
Sat Jun 13 00:03:11 UTC 2009

On Fri, 12 Jun 2009, Matthew Dempsky wrote:

> On Fri, Jun 12, 2009 at 11:40 AM, Florian Weimer<fw at deneb.enyo.de> wrote:
>> .nl is not in the official root-delegation-only list, so .nl could
>> turn unreachable for some folks (including this mailing list) if you
>> use this short-cut.
>> I really don't understand why ISC still advertizes this feature, after
>> it has been demonstrated that it is prone to DoS attacks. *sigh*
> Can you elaborate on this issue, please?  I'm not familiar with the
> problem scenario you're describing.

I'll try.  I'm sure someone will correct me if I get it wrong.

Not too long after Sitefinder appeared (Sept 2003), some new features
appeared in BIND: delegation-only and root-delegation-only.

When a BIND user enables root-delegation-only, BIND accepts only
delegation responses from TLDs and the roots.  Any non-delegation
RRs are ignored.  The goal is to discourage wildcards in top level

Some TLDs are known to have non-delegations in their zone files.
ISC publishes a list of "trustworthy" TLDs with non-delegation
records in their zones.  This is the root-delegation-only exclude
list.  You can find it at https://www.isc.org/node/355

Over time some TLDs that are/were not in the recommended exclude
list have added non-delegation records to their zone.  One that I
remember was .MX.   I seem to recall there was another, more recently,
perhaps related to DNSSEC.

I beleive you suggested:

   There's no need to create a nl-ns.nl zone: just do like .mx and .se.

And Florian's point is that if .NL does this, and since they are
not in the ISC-suggested exclude list, anyone that enabled
root-delegation-only will suddenly no longer be able to resolve
names in .NL.


More information about the dns-operations mailing list