nanog mailing list archives
Re: Root Server Operators (Re: What *are* they smoking?)
From: bert hubert <ahu () ds9a nl>
Date: Wed, 17 Sep 2003 16:17:25 +0200
On Wed, Sep 17, 2003 at 03:35:31PM +0200, Stefan Baltus wrote:
On Wed, Sep 17, 2003 at 09:27:13AM -0400, Todd Vierling wrote:On Wed, 17 Sep 2003, Paul Vixie wrote: : > Anyone have a magic named.conf incantation to counter the verisign : > braindamage? : zone "com" { type delegation-only; }; : zone "net" { type delegation-only; };My first reaction to this was: 'yuck'. I'm not sure of the side-effects this will introduce. Anyone?
The only thing I am slightly worried about is setups that currently "work" because they rely on glue. Nothing is to stop someone from doing: yourdomain.com IN NS www.yourdomain.com. yourdomain.com IN NS yourdomain.com. www.yourdomain.com IN A 1.2.3.4 yourdomain.com IN A 1.2.3.4 And not run a nameserver at all and completely rely on glue. Something like this can be seen on www.airow.com: $ dig www.airow.com @a.gtld-servers.net ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24292 ;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.airow.com. IN A ;; ANSWER SECTION: www.airow.com. 172800 IN A 66.82.206.10 Note the lack of 'aa' bit - but I wonder how many resolvers were accepting this answer. I know pdns_recursor does, it trusts glue to be right. In this case, if we actually bother to ask the nameserver www.airow.com for the IP address of www.airow.com, we don't get an answer. If we ask the other listed nameserver for airow.com (ns1.rfwwp.com), we get a different IP address, 208.191.129.189. Different recursors that are publically (130.161.180.1, 195.96.96.97) available appear to return the first address when currently queried for www.airow.com, so they trust the glue too. After delegation-only, they will start to return 208.191.129.189. Which is probably an improvement, but a change no less. So I'm unsure about ISC's approach. -- http://www.PowerDNS.com Open source, database driven DNS Software http://lartc.org Linux Advanced Routing & Traffic Control HOWTO
Current thread:
- Re: Root Server Operators (Re: What *are* they smoking?), (continued)
- Re: Root Server Operators (Re: What *are* they smoking?) Aaron Dewell (Sep 17)
- Re: Root Server Operators (Re: What *are* they smoking?) Jack Bates (Sep 17)
- Re: Root Server Operators (Re: What *are* they smoking?) Aaron Dewell (Sep 17)
- Re: Root Server Operators (Re: What *are* they smoking?) Jack Bates (Sep 17)
- Re: Root Server Operators (Re: What *are* they smoking?) Paul Vixie (Sep 17)
- Re: Root Server Operators (Re: What *are* they smoking?) bmanning (Sep 17)
- Re: Root Server Operators (Re: What *are* they smoking?) Jack Bates (Sep 18)
- Re: Root Server Operators (Re: What *are* they smoking?) Niels Bakker (Sep 18)
- Re: Root Server Operators (Re: What *are* they smoking?) Todd Vierling (Sep 17)
- Re: Root Server Operators (Re: What *are* they smoking?) Stefan Baltus (Sep 17)
- Re: Root Server Operators (Re: What *are* they smoking?) bert hubert (Sep 17)
- Re: Root Server Operators (Re: What *are* they smoking?) Paul Vixie (Sep 17)
- Re: Root Server Operators (Re: What *are* they smoking?) Paul Vixie (Sep 17)
- Re: Root Server Operators (Re: What *are* they smoking?) Christopher X. Candreva (Sep 16)
- Re: Root Server Operators (Re: What *are* they smoking?) Damian Gerow (Sep 16)
- Re: Root Server Operators (Re: What *are* they smoking?) Christopher X. Candreva (Sep 16)
- Re: Root Server Operators (Re: What *are* they smoking?) Hank Nussbacher (Sep 16)
- Re: Root Server Operators (Re: What *are* they smoking?) Declan McCullagh (Sep 16)
- Re: Root Server Operators (Re: What *are* they smoking?) Patrick_McAllister (Sep 17)
- Re: Root Server Operators (Re: What *are* they smoking?) David Lesher (Sep 16)
- Re: Root Server Operators (Re: What *are* they smoking?) E.B. Dreger (Sep 16)