[dns-operations] Dumb question: why is it that some registries limit the nameservers that can be delegated to?
dot at dotat.at
Fri Sep 12 13:31:32 UTC 2014
Warren Kumari <warren at kumari.net> wrote:
> I cannot remember all the details, but basically I create a host
> object (nameserver) named whatever the service I want to serve is --
> so, if I have example.com, I register the nameserver as
> 'www.example.com', with the IP of my webserver, and now most of my
> lookups are handled simply by the glue.
That shouldn't work. RFC 2181 says you can't promote glue to an answer:
Unauthenticated RRs received and cached from the least trustworthy of
those groupings, that is data from the additional data section, and
data from the authority section of a non-authoritative answer, should
not be cached in such a way that they would ever be returned as
answers to a received query. They may be returned as additional
information where appropriate. Ignoring this would allow the
trustworthiness of relatively untrustworthy data to be increased
without cause or excuse.
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Trafalgar: Cyclonic in northwest, otherwise mainly northerly or northwesterly
5 or 6. Slight or moderate. Showers in northwest. Good.
More information about the dns-operations