On 2013-10-29, at 06:18, Jaap Akkerhuis <[email protected]> wrote: > If I remember correctly, the whole mess was augmented by all these > resolvers which thought that SE had a delegation only policy. When > the name servers became in balliwick ...
The threat of delegation-only configuration in BIND9 was one of the things that caused me to propose the naming scheme you see for Afilias's hosted TLDs, back in the day. Aside from the general ugliness and confusion that all those similar NS names cause (sorry about that) the general approach was to delegate the TLD to names in separate zones, but to host those zones alongside the TLD on the same nameserver. So, for example, we see [walrus:~]% dig org. ns +short a0.org.afilias-nst.info. d0.org.afilias-nst.org. b0.org.afilias-nst.org. c0.org.afilias-nst.info. a2.org.afilias-nst.info. b2.org.afilias-nst.org. [walrus:~]% dig org.afilias-nst.info. ns +short b0.org.afilias-nst.org. d0.org.afilias-nst.org. a0.org.afilias-nst.info. c0.org.afilias-nst.info. a2.org.afilias-nst.info. b2.org.afilias-nst.org. [walrus:~]% dig org.afilias-nst.org ns +short c0.org.afilias-nst.info. b0.org.afilias-nst.org. b2.org.afilias-nst.org. a0.org.afilias-nst.info. d0.org.afilias-nst.org. a2.org.afilias-nst.info. [walrus:~]% This allows any of those nameservers to answer authoritatively for any of those three zones, but provides defence against people asserting delegation-only semantics in ORG. The use of separate superordinate TLDs for the nameservers themselves (ORG and INFO) was to avoid the question of whether there was a risk in naming them all under one TLD, since that question is difficult to answer convincingly; the risk profile when you consider all possible failure modes gets complicated to describe, quickly. I haven't worked for Afilias for many years and certainly don't speak for them (or PIR) now, so consider this a historical nugget rather than anything authoritative about present-day operations or strategy :-) Joe
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
