[dns-operations] Bloke takes over every .io domain by snapping up crucial name servers

[Robert Edmonds]

Tony Finch wrote:
> Robert Edmonds <edmonds at mycre.ws> wrote:
> >
> > Matt's article assumes resolvers that are happy to use glue addresses to
> > reach nameservers but there are at least some resolver implementations
> > that actively attempt to find a zone's authoritative nameserver
> > addresses when following a delegation rather than relying on glue
> > address records.
> 
> A particular instance of this is Unbound with "harden-referral-path"
> enabled - https://unbound.net/documentation/unbound.conf.html

"harden-referral-path: yes" definitely makes Unbound perform that way,
but I think it still actively looks up at least some nameserver
addresses if you leave "target-fetch-policy" at the default value.

-- 
Robert Edmonds