John Levine <jo...@taugh.com> wrote: > Paul Wouters <p...@nohats.ca> wrote: > > > > Has anybody done a survey to find out how many TLD zones actually > > fits the description of "delegation-only"? > > I did some greppage, and found that all of the domains run by Verisign > and Nominet have signed non-glue A records. I think there are a lot of > TLDs run by others that are delegation only but they're mostly tiny > vanity domains.
If there are RRSIG(A) records in .com and .net there must have been a policy change since 2010? There was a very subtle behaviour tweak implemented by Verisign for orphan glue aka host objects that have lost their domain objects: although the address records appear in the zone file, the name servers do not answer queries for them authoritatively: the addresses only appear in additional sections in referrals, and are not signed according to this: https://seclists.org/nanog/2010/Jan/298 I don't know if other nameservers implement the same behaviour. AFAIK it isn't possible to represent orphan glue in standard zone files or zone transfers, so I think this is an ATLAS special. Also despite having discussed this several times before I have not previously thought properly about how signing such a zone works! I suppose the assumption is that most resolvers are delegation-centric by default so they won't normally come back to validate the glue in the referral and won't discover it has been orphaned. So it usually won't matter if gtld-servers.net return an NSEC3 opt-out denial in response to a direct query for an orphaned glue record.. Maybe an NSEC3 opt-out covering these address records is enough to imply that they are orphan glue without needing new zone file or zone transfer syntax... Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Viking: West backing southeast 2 to 4, increasing 5 or 6 later. Slight or moderate. Occasional rain. Good, occasionally poor in north. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
