[dns-operations] All NSs for a TLD being in the TLD itself
jabley at hopcount.ca
Tue Oct 29 13:37:05 UTC 2013
On 2013-10-29, at 06:18, Jaap Akkerhuis <jaap at NLnetLabs.nl> wrote:
> If I remember correctly, the whole mess was augmented by all these
> resolvers which thought that SE had a delegation only policy. When
> the name servers became in balliwick ...
The threat of delegation-only configuration in BIND9 was one of the things that caused me to propose the naming scheme you see for Afilias's hosted TLDs, back in the day.
Aside from the general ugliness and confusion that all those similar NS names cause (sorry about that) the general approach was to delegate the TLD to names in separate zones, but to host those zones alongside the TLD on the same nameserver. So, for example, we see
[walrus:~]% dig org. ns +short
[walrus:~]% dig org.afilias-nst.info. ns +short
[walrus:~]% dig org.afilias-nst.org ns +short
This allows any of those nameservers to answer authoritatively for any of those three zones, but provides defence against people asserting delegation-only semantics in ORG.
The use of separate superordinate TLDs for the nameservers themselves (ORG and INFO) was to avoid the question of whether there was a risk in naming them all under one TLD, since that question is difficult to answer convincingly; the risk profile when you consider all possible failure modes gets complicated to describe, quickly.
I haven't worked for Afilias for many years and certainly don't speak for them (or PIR) now, so consider this a historical nugget rather than anything authoritative about present-day operations or strategy :-)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the dns-operations