On Oct 29, 2013, at 2:37 PM, Joe Abley wrote: > > On 2013-10-29, at 06:18, Jaap Akkerhuis <[email protected]> wrote: > >> If I remember correctly, the whole mess was augmented by all these >> resolvers which thought that SE had a delegation only policy. When >> the name servers became in balliwick ... > > The threat of delegation-only configuration in BIND9 was one of the things > that caused me to propose the naming scheme you see for Afilias's hosted > TLDs, back in the day. > > Aside from the general ugliness and confusion that all those similar NS names > cause (sorry about that) the general approach was to delegate the TLD to > names in separate zones, but to host those zones alongside the TLD on the > same nameserver. So, for example, we see > > [walrus:~]% dig org. ns +short > a0.org.afilias-nst.info. > d0.org.afilias-nst.org. > b0.org.afilias-nst.org. > c0.org.afilias-nst.info. > a2.org.afilias-nst.info. > b2.org.afilias-nst.org. > [walrus:~]% dig org.afilias-nst.info. ns +short > b0.org.afilias-nst.org. > d0.org.afilias-nst.org. > a0.org.afilias-nst.info. > c0.org.afilias-nst.info. > a2.org.afilias-nst.info. > b2.org.afilias-nst.org. > [walrus:~]% dig org.afilias-nst.org ns +short > c0.org.afilias-nst.info. > b0.org.afilias-nst.org. > b2.org.afilias-nst.org. > a0.org.afilias-nst.info. > d0.org.afilias-nst.org. > a2.org.afilias-nst.info. > [walrus:~]% > > This allows any of those nameservers to answer authoritatively for any of > those three zones, but provides defence against people asserting > delegation-only semantics in ORG. > > The use of separate superordinate TLDs for the nameservers themselves (ORG > and INFO) was to avoid the question of whether there was a risk in naming > them all under one TLD, since that question is difficult to answer > convincingly; the risk profile when you consider all possible failure modes > gets complicated to describe, quickly. > > I haven't worked for Afilias for many years and certainly don't speak for > them (or PIR) now, so consider this a historical nugget rather than anything > authoritative about present-day operations or strategy :-) > > > Joe > <signature.asc>_______________________________________________
Although humanly quite tricky this naming scheme has a nice machine/computer
thought behind it; if we had more than one TLD and used a similar scheme the
incident we had would simply not have occurred as "only" one TLD could have
been affected by the ORIGIN-issue whilst still retaining the bonuses DNSSEC
offers.
I suppose you could say it's an usual luxury to have more than one TLD at your
disposal to do something like this, but it's still a nice naming strategy imho
so - nice job! :) Hmm, and since September this year we have .NU, so I guess it
would be possible for us too…..… interesting… ;)
/Regards, Einar
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
