[dns-operations] Fwd: Re: [Security] Glue or not glue?
Mark Andrews
marka at isc.org
Wed Jun 10 00:23:27 UTC 2015
In message <55771150.7090704 at redbarn.org>, Paul Vixie writes:
>
>
> Mark E. Jeftovic wrote:
> > I'd like to revisit this thread because I never got a response last time.
> > ...
> > Paul when you say:
> >
> >> if we're voting, i agree with this recommendation. (we should have named t
> he root name servers X.ROOT-SERVERS without a delegation for .ROOT-SERVERS, s
> o as to keep them in-zone, and we're still paying for that mistake.)
> >
> > ...
> >
> > ... are you saying this would be your preferred method for wider use?
> > I.e. when Joe 6-pack regs joesixpack.six and he's going to just host a
> > website and email he should have in bailiwick nameservers (even if those
> > nameservers are being operated by his registrar/web host/dns provider?)
> >
> > In other words, are you saying every domain registered should have
> > "vanity" nameservers?
>
> no. thanks for asking, this is an important distinction. only a
> delegation-mostly or delegation-only zone would benefit from in-zone
> name server names. for the rest, i think we get a far greater benefit
> from sharing name server names among large numbers of zones, than we
> could get by including name server AAAA and A RRsets in the delegation.
>
> --
> Paul Vixie
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Additionally there are "risks" with both strategies. If you have
vanity names then you have the risk of not updating all the glue
records when you renumber the nameservers.
The biggest issue is not having delegations checked by all parties
involved in the delegation. Checks catch errors and the DNS has a
high error rate with delegation being broken due to this lack of
checking.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list