W dniu 08.07.2019 o 21:01, Brian Dickson pisze: > What about using namespace instead of class or rrtype, or perhaps in > addition to that? > By making it an in-band thing but out-of-name-space, it makes it a > little more difficult to achieve self-immolation. > The namespace could be specified as having local-only significance, and > putting it under a single parent name lets you manage it all however you > want, including potentially in a single zone. > E.g. zone "my.example.com.cover.t", or "example.com.covert.", or even > "covert.". Protect *that* with TSIG etc., or possibly also use DNSSEC > and/or ZONEMD for extra goodness. > Maybe add it to the registry of special purpose names? Basically, if a > query is seen on it, drop it, unless the query is AXFR/IXFR. > > Using the namespace allows you to break it up into subzones, e.g. to > correspond to delegated or managed zones, where the transfer tree > differs. Or not, if you don't have that particular use case to handle. > > Put it in a reserved TLD that is not delegated, and you should not > expect any queries even by accident. > Add whatever other magic your flavor of authoritative servers supports > for limiting queries etc., and you're golden.
That breaks hierarchicality of DNS - you have two completely unrelated (in terms of 'classical' DNS) zones stored in one file. Also - the draft includes the way to query for those records (useful for example for NOTE RR), moving them to a different hierarchy somehow breaks that. Witold _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
