[dns-operations] Dumb question: why is it that some registries limit the nameservers that can be delegated to?

Tony Finch dot at dotat.at
Fri Sep 12 13:31:32 UTC 2014

Warren Kumari <warren at kumari.net> wrote:
> I cannot remember all the details, but basically I create a host
> object (nameserver) named whatever the service I want to serve is --
> so, if I have example.com, I register the nameserver as
> 'www.example.com', with the IP of my webserver, and now most of my
> lookups are handled simply by the glue.

That shouldn't work. RFC 2181 says you can't promote glue to an answer:

   Unauthenticated RRs received and cached from the least trustworthy of
   those groupings, that is data from the additional data section, and
   data from the authority section of a non-authoritative answer, should
   not be cached in such a way that they would ever be returned as
   answers to a received query.  They may be returned as additional
   information where appropriate.  Ignoring this would allow the
   trustworthiness of relatively untrustworthy data to be increased
   without cause or excuse.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Trafalgar: Cyclonic in northwest, otherwise mainly northerly or northwesterly
5 or 6. Slight or moderate. Showers in northwest. Good.

More information about the dns-operations mailing list