DNS ROOT understanding

Kevin Darcy kcd at daimlerchrysler.com
Fri Nov 19 02:13:14 UTC 2004

Jim Reid wrote:

>>>>>>"Jonathan" == Jonathan de Boyne Pollard <J.deBoynePollard at Tesco.NET> writes:
>    JR> The circumstances you describe are not those of a well behaved
>    JR> DNS setup.
>    Jonathan> Also wrong. The DNS setup described is behaving exactly
>    Jonathan> as it should.
>No it isn't. It's broken. The clients are asking for a non-existent
>name in a bogus top-level domain. That by definition cannot be a well
>behaved DNS setup.
Well, Jim, I don't know how you make DNS *clients* "behave", according 
to whatever definition you're using. Do you post an overseer at 
everyone's PC to stop them from typing "nslookup localhost.localdomain" 
at the command-line?

The most we can usually enforce is good behavior at the *server* level. 
But if someone queries something in a bogus TLD and the server isn't 
authoritative for root and doesn't have any relevant negative-caching 
entries to stop it, then off to the root servers the query goes! There's 
not a lot that can be done to stop that, short of duplicating root-zone 
authority on one's own servers (as suggested elsewhere in this thread).

(Caveat: I haven't really looked very hard at the newfangled 
"delegation-only" stuff, so maybe there's a factor in the equation that 
I haven't taken into account).

                                             - Kevin

More information about the bind-users mailing list