[dns-operations] DNS trust dependencies for TLDs
Mark Andrews
marka at isc.org
Sun Jun 14 23:48:19 UTC 2009
In message <87tz2lthwx.fsf at mid.deneb.enyo.de>, Florian Weimer writes:
> * Matthew Dempsky:
>
> > Another way without having to change nic.nl at all would be to setup
> > {a,b,c,d,e,f,g}.nl-ns.nl. There's no need to create a nl-ns.nl zone:
> > just do like .mx and .se.
>
> .nl is not in the official root-delegation-only list, so .nl could
> turn unreachable for some folks (including this mailing list) if you
> use this short-cut.
>
> I really don't understand why ISC still advertizes this feature, after
> it has been demonstrated that it is prone to DoS attacks. *sigh*
What DoS attacks? TLD's changing from delegation only to
having in zone data is not a DoS attack, it is a design
feature. BIND 9.6.1 addresses getting DS query responses
from delegation only zones.
2605. [bug] Accept DS responses from delegation only zones.
[RT # 19296]
Personally, I don't use delegation-only and it is not the
default in any version of BIND. Delegation-only has come
with big warnings from day one.
Note: DNSSEC actually make it harder to get false positives
when a parent zone serves a child zone as the RRSIG records
in the answers identify the zone and you don't have to rely
on the authoritative servers sending the NS RRset for the
zone in the authority section.
Mark
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list