[dns-operations] DNS trust dependencies for TLDs

Mark Andrews marka at isc.org
Sun Jun 14 23:48:19 UTC 2009

In message <87tz2lthwx.fsf at mid.deneb.enyo.de>, Florian Weimer writes:
> * Matthew Dempsky:
> > Another way without having to change nic.nl at all would be to setup
> > {a,b,c,d,e,f,g}.nl-ns.nl.  There's no need to create a nl-ns.nl zone:
> > just do like .mx and .se.
> .nl is not in the official root-delegation-only list, so .nl could
> turn unreachable for some folks (including this mailing list) if you
> use this short-cut.
> I really don't understand why ISC still advertizes this feature, after
> it has been demonstrated that it is prone to DoS attacks. *sigh*

	What DoS attacks?  TLD's changing from delegation only to
	having in zone data is not a DoS attack, it is a design
	feature.  BIND 9.6.1 addresses getting DS query responses
	from delegation only zones.

2605.   [bug]           Accept DS responses from delegation only zones.
                        [RT # 19296]

	Personally, I don't use delegation-only and it is not the
	default in any version of BIND.  Delegation-only has come
	with big warnings from day one.

	Note: DNSSEC actually make it harder to get false positives
	when a parent zone serves a child zone as the RRSIG records
	in the answers identify the zone and you don't have to rely
	on the authoritative servers sending the NS RRset for the
	zone in the authority section.


> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list