Re: Root Server Operators (Re: What *are* they smoking?)

North American Network Operators Group

Re: Root Server Operators (Re: What are they smoking?)

From: bert hubert
Date: Wed Sep 17 10:20:33 2003

On Wed, Sep 17, 2003 at 03:35:31PM +0200, Stefan Baltus wrote:
> On Wed, Sep 17, 2003 at 09:27:13AM -0400, Todd Vierling wrote:
> > On Wed, 17 Sep 2003, Paul Vixie wrote:
> > : > Anyone have a magic named.conf incantation to counter the verisign
> > : > braindamage?
> > : zone "com" { type delegation-only; };
> > : zone "net" { type delegation-only; };
> 
> My first reaction to this was: 'yuck'. I'm not sure of the 
> side-effects this will introduce. Anyone?

The only thing I am slightly worried about is setups that currently "work"
because they rely on glue. Nothing is to stop someone from doing:

yourdomain.com		IN	NS 	www.yourdomain.com.
yourdomain.com		IN	NS 	yourdomain.com.
www.yourdomain.com	IN	A	1.2.3.4
yourdomain.com		IN	A	1.2.3.4

And not run a nameserver at all and completely rely on glue.

Something like this can be seen on www.airow.com:
$ dig www.airow.com @a.gtld-servers.net
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24292
;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;www.airow.com.			IN	A

;; ANSWER SECTION:
www.airow.com.		172800	IN	A	66.82.206.10

Note the lack of 'aa' bit - but I wonder how many resolvers were accepting
this answer. I know pdns_recursor does, it trusts glue to be right. In this
case, if we actually bother to ask the nameserver www.airow.com for the IP
address of www.airow.com, we don't get an answer. If we ask the other listed
nameserver for airow.com (ns1.rfwwp.com), we get a different IP address,
208.191.129.189.

Different recursors that are publically (130.161.180.1, 195.96.96.97)
available appear to return the first address when currently queried for
www.airow.com, so they trust the glue too.

After delegation-only, they will start to return 208.191.129.189. Which is
probably an improvement, but a change no less.

So I'm unsure about ISC's approach.

-- 
http://www.PowerDNS.com      Open source, database driven DNS Software 
http://lartc.org           Linux Advanced Routing & Traffic Control HOWTO

Follow-Ups:
- Re: Root Server Operators (Re: What *are* they smoking?) Paul Vixie

References:
- Re: Root Server Operators (Re: What *are* they smoking?) Hank Nussbacher
- Re: Root Server Operators (Re: What *are* they smoking?) Dan Hollis
- Re: Root Server Operators (Re: What *are* they smoking?) Paul Vixie
- Re: Root Server Operators (Re: What *are* they smoking?) Todd Vierling
- Re: Root Server Operators (Re: What *are* they smoking?) Stefan Baltus

Prev by Date: Re: Verisign changes violates RFC2821, and spam implications
Next by Date: Re: Root Server Operators (Re: What *are* they smoking?)
Date Index
Thread Index
Author Index
Historical