[dns-operations] sibling glue

Mark Andrews marka at isc.org
Tue Jun 23 21:52:39 UTC 2015


In message <87oak69rgm.fsf at mid.deneb.enyo.de>, Florian Weimer writes:
> * Tony Finch:
> 
> > A question for those who know more about registry rules than me...
> 
> Practically speaking, a registry-style zone operator must filter out
> sibling glue, or there will be domain hijacks.  The zone operator does
> not know the structure of the reselling chain and cannot determine if
> two zones are run by the same entity and can therefore properly
> cross-glued.

Total garbage.  This is not the registry's job.  The only thing the
registry has to ensure is that glue records get added/modified/changed
by the correct registrant.

A can contract with B to serve the zone.  It is up to A to update
the delegation NS records as the contract changes.  It is up to B
to maintain the address records.  It is up to the registry, A and
B to periodically check that the NS records and the address records
the registry holds match what are being served and when they don't
to take steps to bring them back into consistency with each other.

> I don't know if this is done consistently.  Probably not.
> 
> By the way, has anyone reviewed OpenStack Designate for such issues?
> (It's supposed to support multiple tenants.)
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list