Markus Wild writes:
>> Just a quick review: which providers have already installed the
>> Bind "delegation only" patch re. Verisign/Sitefinder (or similar
>> for their environment)?
> Done this the last couple of days for VIA (some servers upgraded to
> latest bind9, others bind8 forwarder-chained to the new bind9 ones
> as per the instructions on www.isc.org). Only thing to watch out:
> there _are_ TLDs that include non-delegation records, so don't be
> too restrictive in your root-delegation-only clause. With the
> following setting from what I can tell in the logs there should be
> no legit entries rejected, but I'll have to recheck in a while:
> root-delegation-only exclude { "de"; "lv"; "museum"; "us"; "ch";
> "biz"; };
The problem is that neither you, not the people at ISC, know which
domains exactly have "legitimate" non-delegation data in them.
We run a few secondaries for (cc)TLDs, and I found non-delegation data
in both of those that I checked. .AR has some A records directly in
the zone, and .LU uses TXT records to mark domains that have been
reserved but not delegated ("inactive" domains in CH/LI-registry
terminology). I am sure that there are many more such domains. The
problem is that the operators of these TLDs don't read NANOG, so it
will take them a while to get on ISC's exceptions list :-(
> (I don't know about .ch - there at least USED to be MX records in there
> directly in the good old UUCP times, don't know whether some survived;-)).
Your memory is very good :-) According to my records, the last
"MX-only" domains were removed from the CH and LI zones in 1998.
So currently there is only delegation data in these zones.
But who knows, maybe sometime in the future there will be good reasons
to put non-delegation data into TLDs? The "MX-only" domains were an
example of such a registry service that people found useful at the time.
If many ISPs adopt the root-delegation-only "feature", it will become
almost impossible for TLDs to do this.
DON'T use "root-delegation-only". If you want to remove the
sitefinder, then declare .COM and .NET as "delegation-only".
There is NO REASON to filter any TLDs other than .COM/.NET.
(Heck, it seems there isn't even any reason anymore for .com/.net,
now that Verisign retired the wildcard records.)
Of course I don't care what you configure on your PERSONAL recursive
nameserver, but if you operate one for your other people
(e.g. customers), please be very careful when modifying data. It is
very hard for users to "opt out".
These are just my personal opinions.
--
Simon.
----------------------------------------------
[EMAIL PROTECTED] Maillist-Archive:
http://www.mail-archive.com/swinog%40swinog.ch/
