[dns-operations] All NSs for a TLD being in the TLD itself

Tue Oct 29 14:56:26 UTC 2013

On Oct 29, 2013, at 2:37 PM, Joe Abley wrote:

> 
> On 2013-10-29, at 06:18, Jaap Akkerhuis <jaap at NLnetLabs.nl> wrote:
> 
>> If I remember correctly, the whole mess was augmented by all these
>> resolvers which thought that SE had a delegation only policy. When
>> the name servers became in balliwick ...
> 
> The threat of delegation-only configuration in BIND9 was one of the things that caused me to propose the naming scheme you see for Afilias's hosted TLDs, back in the day.
> 
> Aside from the general ugliness and confusion that all those similar NS names cause (sorry about that) the general approach was to delegate the TLD to names in separate zones, but to host those zones alongside the TLD on the same nameserver. So, for example, we see
> 
> [walrus:~]% dig org. ns +short
> a0.org.afilias-nst.info.
> d0.org.afilias-nst.org.
> b0.org.afilias-nst.org.
> c0.org.afilias-nst.info.
> a2.org.afilias-nst.info.
> b2.org.afilias-nst.org.
> [walrus:~]% dig org.afilias-nst.info. ns +short
> b0.org.afilias-nst.org.
> d0.org.afilias-nst.org.
> a0.org.afilias-nst.info.
> c0.org.afilias-nst.info.
> a2.org.afilias-nst.info.
> b2.org.afilias-nst.org.
> [walrus:~]% dig org.afilias-nst.org ns +short
> c0.org.afilias-nst.info.
> b0.org.afilias-nst.org.
> b2.org.afilias-nst.org.
> a0.org.afilias-nst.info.
> d0.org.afilias-nst.org.
> a2.org.afilias-nst.info.
> [walrus:~]% 
> 
> This allows any of those nameservers to answer authoritatively for any of those three zones, but provides defence against people asserting delegation-only semantics in ORG.
> 
> The use of separate superordinate TLDs for the nameservers themselves (ORG and INFO) was to avoid the question of whether there was a risk in naming them all under one TLD, since that question is difficult to answer convincingly; the risk profile when you consider all possible failure modes gets complicated to describe, quickly.
> 
> I haven't worked for Afilias for many years and certainly don't speak for them (or PIR) now, so consider this a historical nugget rather than anything authoritative about present-day operations or strategy :-)
> 
> 
> Joe
> <signature.asc>_______________________________________________

Although humanly quite tricky this naming scheme has a nice machine/computer thought behind it; if we had more than one TLD and used a similar scheme the incident we had would simply not have occurred as "only" one TLD could have been affected by the ORIGIN-issue whilst still retaining the bonuses DNSSEC offers.

I suppose you could say it's an usual luxury to have more than one TLD at your disposal to do something like this, but it's still a nice naming strategy imho so - nice job! :) Hmm, and since September this year we have .NU, so I guess it would be possible for us too…..… interesting… ;)

	/Regards, Einar

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4057 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20131029/62fbf504/attachment.bin>