On Wed, Sep 17, 2003 at 03:35:31PM +0200, Stefan Baltus wrote:
On Wed, Sep 17, 2003 at 09:27:13AM -0400, Todd Vierling wrote:
On Wed, 17 Sep 2003, Paul Vixie wrote: : > Anyone have a magic named.conf incantation to counter the verisign : > braindamage? : zone "com" { type delegation-only; }; : zone "net" { type delegation-only; };
My first reaction to this was: 'yuck'. I'm not sure of the side-effects this will introduce. Anyone?
The only thing I am slightly worried about is setups that currently "work" because they rely on glue. Nothing is to stop someone from doing: yourdomain.com IN NS www.yourdomain.com. yourdomain.com IN NS yourdomain.com. www.yourdomain.com IN A 1.2.3.4 yourdomain.com IN A 1.2.3.4 And not run a nameserver at all and completely rely on glue. Something like this can be seen on www.airow.com: $ dig www.airow.com @a.gtld-servers.net ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24292 ;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.airow.com. IN A ;; ANSWER SECTION: www.airow.com. 172800 IN A 66.82.206.10 Note the lack of 'aa' bit - but I wonder how many resolvers were accepting this answer. I know pdns_recursor does, it trusts glue to be right. In this case, if we actually bother to ask the nameserver www.airow.com for the IP address of www.airow.com, we don't get an answer. If we ask the other listed nameserver for airow.com (ns1.rfwwp.com), we get a different IP address, 208.191.129.189. Different recursors that are publically (130.161.180.1, 195.96.96.97) available appear to return the first address when currently queried for www.airow.com, so they trust the glue too. After delegation-only, they will start to return 208.191.129.189. Which is probably an improvement, but a change no less. So I'm unsure about ISC's approach. -- http://www.PowerDNS.com Open source, database driven DNS Software http://lartc.org Linux Advanced Routing & Traffic Control HOWTO