Complete explanation of in-bailiwick

Joseph S D Yao jsdy at center.osis.gov
Tue Jul 29 20:09:56 UTC 2003 

On Tue, Jul 29, 2003 at 12:35:15PM -0400, Michele Chubirka wrote:
> Could someone go into more detail regarding in-bailiwick delegation and
> the relevant RFCs? Thanks.
> 
> Michele Chubirka
> Unix Systems Administrator
> George Washington University
> 202-994-5791 

Hi, Michelle!

I'd never heard this phrase before, so I had to go look see where it
was used.  Mostly by D. J. Bernstein, a bright guy who has trouble in
discussing things without getting too emotional about them, so a lot of
his good points get overlooked along with the bad ones.  ;-]  And he
does have some good points; but by not being able to discuss them, he
can't develop them as well as he might otherwise.  For both reasons,
therefore, no RFCs.

The idea here seems to be that you should have A records and internal
names in your domains for all of your name servers, even - especially!
- the ones not under your control.  The good part of this idea is that
it prevents your name servers' names being hijacked by a TLD or lower-
level name server gone rogue.  The bad part of this idea is that you
aren't letting the "out-of-bailiwick" name servers' IP addresses get
updated by their own domain masters when they change.  And what if the
IP address that last week was a Vanderbilt U organization is this week
some nasty site that wants to mess with you?  [Happened to me with a
Web link.]

There's also some vagueness as to what constitutes your "bailiwick".
Again, it's whatever is under your control.  But you mention delegation.
So, do your subdomains trust you enough to have the bailiwick be
"gwu.edu"?  Do you trust them enough to delegate bailiwicity?
["bailiwicity"????]

ISTM that it's a bit of a red herring, though, unless you KNEW, e.g.,
that auth4.dns.rcn.net were an MS W'95 machine on a public corridor
that could be messed with by any passerby who knew what it was.  And if
you knew that, why would you ask them to serve as one of your name
servers?  ;-)

[OK, so we know that RCN security is so tight that we sometimes can't
get in on the spur of the moment to fix gwyn - but it was an example.
;-)]

-- 
Joe Yao				jsdy at center.osis.gov - Joseph S. D. Yao
OSIS Center Systems Support					EMT-B
-----------------------------------------------------------------------
   This message is not an official statement of OSIS Center policies.

More information about the bind-users mailing list