[dns-operations] [Ext] Re: (In)correct handling of wildcard NS at zone apex.
Ray Bellis
ray at isc.org
Fri Jun 1 13:37:41 UTC 2018
On 01/06/2018 14:14, Edward Lewis wrote:
> I do believe that there are name servers that create zones on the
> fly. I won't 'fess up names, but if anyone whose done this wants to
> speak up, how hard is it to on-demand provision a zone vs. relying on
> a wildcard NS?
I've done this in the code I wrote to assist APNIC's DNS experiements,
but in that code the parent zone was also synthesized, so it was
possible to dynamically generate the per-child DS record.
I had to include code to specifically deny the existence of a wildcard,
even though a "virtual" wildcard was in effect present.
As you surmised, I also believe it's impossible for a true wildcard NS
using the '*' label to work with DNSSEC because of the issue with the
owner name forming part of the DS hash.
Ray
More information about the dns-operations
mailing list