Claiming Authority for root

Jim Reid jim at rfc1035.com
Thu Jun 29 18:11:17 UTC 2000 

>>>>> "Allen" == Allen Bettiyon <allen at northsky.com> writes:

    Allen> I would like to get people's opinions about setting up a
    Allen> server that thinks it is authoritative for the "." domain.

Don't do this unless you're on a private network that isn't connected
to the internet. Or you run one of the Internet's 13 root servers of
course. Nobody should mess with the root zone unless they *really*
know what they are doing.

    Allen> Essentially, I am wanting to do this so that I can add (or
    Allen> remove) zones dynamically using nsupdate.  This procedure
    Allen> works perfectly, and the name server does give the correct
    Allen> answers when it is queried.

I think you are mistaken. Every zone has exactly 1 SOA record. How can
you create a new zone by getting nsupdate to add a SOA record for it?
This update would have to go to the parent zone. If that SOA record
was added successfully, it would mean the parent zone had two SOA
records. This is just wrong. I'd be very surprised if nsupdate and
named let you do this. [Not that I'm silly enough to have tried such a
thing.] And can you do zone transfers of these dynamically added
"zones"?

    Allen> When a reply is given, my name server claims authority for
    Allen> the (root) domain.  Will other name servers on the internet
    Allen> see this information and start asking me for all of it's
    Allen> root requests?

Only if they're stupid enough to ask your name server about the root
zone or forward queries to your server. And as soon as they do that,
they'll see your name space rather than the real one on the Internet.

For instance I could configure my name server to answer
authoritatively for your domain, northsky.com and have it tell lies
about that domain. This wouldn't affect you unless the world's name
servers decided to come to my name server instead of yours when they
wanted to lookup northsky.com. They would only do that if the .com
name servers had a delegation for northsky.com that pointed at my
servers instead of yours. The same thing in principle will happen for
your bogus root zone. You can certainly set it up, but getting other
name servers to believe your bogus root zone is the real one is much
harder.

    Allen> We will probably have a * entry in that "." domain

Wildcard resource records are a very bad idea. [Spammers love 'em.]
It's even worse when the wildcard is in the root zone. Have you any
idea how bad things will get for you and anything that uses your name
server if you implement this?

More information about the bind-users mailing list