DNS ROOT understanding
Kevin Darcy
kcd at daimlerchrysler.com
Fri Nov 19 02:13:14 UTC 2004
Jim Reid wrote:
>>>>>>"Jonathan" == Jonathan de Boyne Pollard <J.deBoynePollard at Tesco.NET> writes:
>>>>>>
>>>>>>
>
> JR> The circumstances you describe are not those of a well behaved
> JR> DNS setup.
>
> Jonathan> Also wrong. The DNS setup described is behaving exactly
> Jonathan> as it should.
>
>No it isn't. It's broken. The clients are asking for a non-existent
>name in a bogus top-level domain. That by definition cannot be a well
>behaved DNS setup.
>
Well, Jim, I don't know how you make DNS *clients* "behave", according
to whatever definition you're using. Do you post an overseer at
everyone's PC to stop them from typing "nslookup localhost.localdomain"
at the command-line?
The most we can usually enforce is good behavior at the *server* level.
But if someone queries something in a bogus TLD and the server isn't
authoritative for root and doesn't have any relevant negative-caching
entries to stop it, then off to the root servers the query goes! There's
not a lot that can be done to stop that, short of duplicating root-zone
authority on one's own servers (as suggested elsewhere in this thread).
(Caveat: I haven't really looked very hard at the newfangled
"delegation-only" stuff, so maybe there's a factor in the equation that
I haven't taken into account).
- Kevin
More information about the bind-users
mailing list