[dns-operations] chrome's 10 character QNAMEs to detect NXDOMAIN rewriting

Doug Barton dougb at dougbarton.us
Tue Dec 17 04:50:46 UTC 2013

On 12/16/2013 03:26 PM, Mark Andrews wrote:
> In message <52ACF0EE.3040404 at redbarn.org>, Paul Vixie writes:
>> this is true. and i am a strong opponent of mixed-mode (recursive plus
>> authoritative) servers, and i believe these are deprecated in later DNS
>> RFC's, and in any case not even BIND 10 will have that feature mix --
>> but RFC 1034 and RFC 1035 describe all name servers as working this way,
>> and i expect that if "root zone hidden slave" configuration became
>> widespread, then many name servers who don't support it today, would add
>> it in some form -- perhaps only in this particular (root zone) form.
> I don't care about mixed-mode for a nominally recursive server.
> If you are a *listed* authoritative nameserver then you shouldn't
> be recursive also.  That is the configuration that causes operational
> problems for others.

FWIW, big +1 from me. I have always slaved my local auth zones out to my 
resolvers, and never had a problem with it.

That said, the bigger picture problem is people not understanding the 
difference between that scenario and making the same server 
authoritative to the outside world and also a resolver. I'm not sure 
what the right answer is there.


PS, don't say "user education," since that's failed miserably for over a 

More information about the dns-operations mailing list