[dns-operations] Dumb question: why is it that some registries limit the nameservers that can be delegated to?

Colm MacCárthaigh colm at stdlib.net
Thu Sep 11 18:51:38 UTC 2014

On Thu, Sep 11, 2014 at 9:46 AM, Andrew Sullivan <ajs at anvilwalrusden.com> wrote:
> Also, it's not like it's terrifically onerous, although I know some
> registrars' web interfaces for this are messy and confusing.

I do think that the policies of the .is GLTD are a net harm for DNS.
They require that DNS servers respond to queries they aren't
authoritative for (e.g. a SERVFAIL, or a REFUSED). Besides the
reflection attack risk, this also means the behavior-of-last-resort
should be respond "with an error": but I'd prefer to leave the
question unanswered in case another name server for the domain does
know how to serve the query.

For example if a provider booted a box with an empty configuration, it
would be much better to timeout queries than respond with SERVFAIL or


More information about the dns-operations mailing list