[dns-operations] All NSs for a TLD being in the TLD itself

Einar Lönn einar.lonn at iis.se
Fri Oct 25 15:00:46 UTC 2013


On Oct 25, 2013, at 3:45 PM, Randy Bush wrote:

>> xn--ngbc5azd.		172800	IN	NS	a.nic.xn--ngbc5azd.
>> xn--ngbc5azd.		172800	IN	NS	b.nic.xn--ngbc5azd.
>> xn--ngbc5azd.		172800	IN	NS	c.nic.xn--ngbc5azd.
>> xn--ngbc5azd.		172800	IN	NS	d.nic.xn--ngbc5azd.
>> a.nic.xn--ngbc5azd.	172800	IN	A	37.209.192.3
>> a.nic.xn--ngbc5azd.	172800	IN	AAAA	2001:dcd:1:0:0:0:0:3
>> b.nic.xn--ngbc5azd.	172800	IN	A	37.209.194.3
>> b.nic.xn--ngbc5azd.	172800	IN	AAAA	2001:dcd:2:0:0:0:0:3
>> c.nic.xn--ngbc5azd.	172800	IN	A	37.209.196.3
>> c.nic.xn--ngbc5azd.	172800	IN	AAAA	2001:dcd:3:0:0:0:0:3
>> d.nic.xn--ngbc5azd.	172800	IN	A	37.209.198.3
>> d.nic.xn--ngbc5azd.	172800	IN	AAAA	2001:dcd:4:0:0:0:0:3
>> 
>> This works, of course, but it feels a bit fragile for me. Is there a
>> history of this being unsafe? Of being more safe than NSs whose names
>> are in other TLDs?
> 
> what do you think is fragile?  the in-baliwick glue?  why?
> 
> the ip address clumping would worry me if i thought they were not
> anycast.
> 
> randy

Someone did a comparison between all the ccTLD's a few years back (was it CENTR? or RIPE? I cant find it...) where they checked stuff like this. I think I remember 100% in-bailiwick glue was considered best as this gives most control to the TLD itself and has the least risk of hijacking due to inzone or out of zone dependancies.

I actually agree with this assessment, at least as long as (in the example above) the zone "nic.xn--ngb5azd" is *very* well guarded (locked utterly) and preferrably also never delegated. Which it might actually be, then it's suddenly much riskier as you must have full control of the delegated zone also (which I kind of consider an inzone dependancy)...

(Compare: In .SE the zone "NS.SE" that contains all names of all NS-records for .SE is in-bailiwick and *not* a delegated zone).

BigMac:~ einar.lonn$ dig se ns +short
a.ns.se.
b.ns.se.
c.ns.se.
d.ns.se.
e.ns.se.
f.ns.se.
g.ns.se.
i.ns.se.
j.ns.se.

BigMac:~ einar.lonn$ dig ns.se ns @a.ns.se       

; <<>> DiG 9.8.5-P1 <<>> ns.se @a.ns.se
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6494
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;ns.se.				IN	A

;; AUTHORITY SECTION:
se.			7200	IN	SOA	catcher-in-the-rye.nic.se. registry-default.nic.se. 2013102506 1800 1800 864000 7200

;; Query time: 45 msec
;; SERVER: 192.36.144.107#53(192.36.144.107)
;; WHEN: Fri Oct 25 16:54:07 CEST 2013
;; MSG SIZE  rcvd: 99

Wish I could find that survey with the comparison, anyone remember it? It was a good one and gave out gold stars and such for nice DNS setups, which was kind of fun… ;)


	/Regards, Einar

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4057 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20131025/a410de41/attachment.bin>


More information about the dns-operations mailing list