[dns-operations] All NSs for a TLD being in the TLD itself
Einar Lönn
einar.lonn at iis.se
Fri Oct 25 15:00:46 UTC 2013
On Oct 25, 2013, at 3:45 PM, Randy Bush wrote:
>> xn--ngbc5azd. 172800 IN NS a.nic.xn--ngbc5azd.
>> xn--ngbc5azd. 172800 IN NS b.nic.xn--ngbc5azd.
>> xn--ngbc5azd. 172800 IN NS c.nic.xn--ngbc5azd.
>> xn--ngbc5azd. 172800 IN NS d.nic.xn--ngbc5azd.
>> a.nic.xn--ngbc5azd. 172800 IN A 37.209.192.3
>> a.nic.xn--ngbc5azd. 172800 IN AAAA 2001:dcd:1:0:0:0:0:3
>> b.nic.xn--ngbc5azd. 172800 IN A 37.209.194.3
>> b.nic.xn--ngbc5azd. 172800 IN AAAA 2001:dcd:2:0:0:0:0:3
>> c.nic.xn--ngbc5azd. 172800 IN A 37.209.196.3
>> c.nic.xn--ngbc5azd. 172800 IN AAAA 2001:dcd:3:0:0:0:0:3
>> d.nic.xn--ngbc5azd. 172800 IN A 37.209.198.3
>> d.nic.xn--ngbc5azd. 172800 IN AAAA 2001:dcd:4:0:0:0:0:3
>>
>> This works, of course, but it feels a bit fragile for me. Is there a
>> history of this being unsafe? Of being more safe than NSs whose names
>> are in other TLDs?
>
> what do you think is fragile? the in-baliwick glue? why?
>
> the ip address clumping would worry me if i thought they were not
> anycast.
>
> randy
Someone did a comparison between all the ccTLD's a few years back (was it CENTR? or RIPE? I cant find it...) where they checked stuff like this. I think I remember 100% in-bailiwick glue was considered best as this gives most control to the TLD itself and has the least risk of hijacking due to inzone or out of zone dependancies.
I actually agree with this assessment, at least as long as (in the example above) the zone "nic.xn--ngb5azd" is *very* well guarded (locked utterly) and preferrably also never delegated. Which it might actually be, then it's suddenly much riskier as you must have full control of the delegated zone also (which I kind of consider an inzone dependancy)...
(Compare: In .SE the zone "NS.SE" that contains all names of all NS-records for .SE is in-bailiwick and *not* a delegated zone).
BigMac:~ einar.lonn$ dig se ns +short
a.ns.se.
b.ns.se.
c.ns.se.
d.ns.se.
e.ns.se.
f.ns.se.
g.ns.se.
i.ns.se.
j.ns.se.
BigMac:~ einar.lonn$ dig ns.se ns @a.ns.se
; <<>> DiG 9.8.5-P1 <<>> ns.se @a.ns.se
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6494
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;ns.se. IN A
;; AUTHORITY SECTION:
se. 7200 IN SOA catcher-in-the-rye.nic.se. registry-default.nic.se. 2013102506 1800 1800 864000 7200
;; Query time: 45 msec
;; SERVER: 192.36.144.107#53(192.36.144.107)
;; WHEN: Fri Oct 25 16:54:07 CEST 2013
;; MSG SIZE rcvd: 99
Wish I could find that survey with the comparison, anyone remember it? It was a good one and gave out gold stars and such for nice DNS setups, which was kind of fun… ;)
/Regards, Einar
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4057 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20131025/a410de41/attachment.bin>
More information about the dns-operations
mailing list