[dns-operations] All NSs for a TLD being in the TLD itself

Joe Abley jabley at hopcount.ca
Tue Oct 29 13:37:05 UTC 2013


On 2013-10-29, at 06:18, Jaap Akkerhuis <jaap at NLnetLabs.nl> wrote:

> If I remember correctly, the whole mess was augmented by all these
> resolvers which thought that SE had a delegation only policy. When
> the name servers became in balliwick ...

The threat of delegation-only configuration in BIND9 was one of the things that caused me to propose the naming scheme you see for Afilias's hosted TLDs, back in the day.

Aside from the general ugliness and confusion that all those similar NS names cause (sorry about that) the general approach was to delegate the TLD to names in separate zones, but to host those zones alongside the TLD on the same nameserver. So, for example, we see

[walrus:~]% dig org. ns +short
a0.org.afilias-nst.info.
d0.org.afilias-nst.org.
b0.org.afilias-nst.org.
c0.org.afilias-nst.info.
a2.org.afilias-nst.info.
b2.org.afilias-nst.org.
[walrus:~]% dig org.afilias-nst.info. ns +short
b0.org.afilias-nst.org.
d0.org.afilias-nst.org.
a0.org.afilias-nst.info.
c0.org.afilias-nst.info.
a2.org.afilias-nst.info.
b2.org.afilias-nst.org.
[walrus:~]% dig org.afilias-nst.org ns +short
c0.org.afilias-nst.info.
b0.org.afilias-nst.org.
b2.org.afilias-nst.org.
a0.org.afilias-nst.info.
d0.org.afilias-nst.org.
a2.org.afilias-nst.info.
[walrus:~]% 

This allows any of those nameservers to answer authoritatively for any of those three zones, but provides defence against people asserting delegation-only semantics in ORG.

The use of separate superordinate TLDs for the nameservers themselves (ORG and INFO) was to avoid the question of whether there was a risk in naming them all under one TLD, since that question is difficult to answer convincingly; the risk profile when you consider all possible failure modes gets complicated to describe, quickly.

I haven't worked for Afilias for many years and certainly don't speak for them (or PIR) now, so consider this a historical nugget rather than anything authoritative about present-day operations or strategy :-)


Joe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20131029/a834af30/attachment.sig>


More information about the dns-operations mailing list