[dns-operations] All NSs for a TLD being in the TLD itself

Calvin Browne calvin at orange-tree.alt.za
Tue Oct 29 09:24:47 UTC 2013


On 25/10/2013 19:34, dns-operations-request at lists.dns-oarc.net wrote:
<SNIP>
> From: Einar L?nn <einar.lonn at iis.se>
> <snip>
>> what do you think is fragile?  the in-baliwick glue?  why?
>>
>> the ip address clumping would worry me if i thought they were not
>> anycast.
>>
>> randy
> Someone did a comparison between all the ccTLD's a few years back (was it CENTR? or RIPE? I cant find it...) where they checked stuff like this. I think I remember 100% in-bailiwick glue was considered best as this gives most control to the TLD itself and has the least risk of hijacking due to inzone or out of zone dependancies.
>
> I actually agree with this assessment, at least as long as (in the example above) the zone "nic.xn--ngb5azd" is *very* well guarded (locked utterly) and preferrably also never delegated. Which it might actually be, then it's suddenly much riskier as you must have full control of the delegated zone also (which I kind of consider an inzone dependancy)...
>
> (Compare: In .SE the zone "NS.SE" that contains all names of all NS-records for .SE is in-bailiwick and *not* a delegated zone).
>
> BigMac:~ einar.lonn$ dig se ns +short
> a.ns.se.
> b.ns.se.
> c.ns.se.
> d.ns.se.
> e.ns.se.
> f.ns.se.
> g.ns.se.
> i.ns.se.
> j.ns.se.
>
> B

I'm going to point out that .se went down because of a problem right at 
this point relativly recently. And .ng .... and I think there were more..

--Calvin



More information about the dns-operations mailing list