To:
Harald@Alvestrand.no (Harald Tveit Alvestrand)
Cc:
hardie@kiwi.equinix.com (Ted Hardie), dnsop@cafax.se
From:
hardie@equinix.com
Date:
Mon, 23 Aug 1999 11:48:04 -0700 (PDT)
In-Reply-To:
<4.2.0.58.19990822030600.01e0a820@dokka.maxware.no> from "Harald Tveit Alvestrand" at Aug 22, 1999 03:09:57 AM
Reply-to:
hardie@equinix.com
Sender:
owner-dnsop@cafax.se
Subject:
Re: I-D ACTION:draft-lindberg-dnsop-isp-root-server-00.txt
<Snipped discussion of SOA info being changed under Gunnar's scheme> Harald wrote: > > I don't get this - is any software anywhere actually routing queries > to the nameserver named in the SOA record? > > > I know for a fact that some zones have a nameserver in their SOA that > isn't in their NS list (the case where I know why, it's because the > Real Master is behind a dialup link, but still with a fixed IP addr) I hadn't thought of this case. I do know of situations where folks run script checks on caching nameservers that match up SOA reported by the roots and NS lists in the cache to see if someone has tried to hijack domains. I believe that it would report a false positive in your case (and it doesn't catch everything in any case--it's just a flagging mechanism). Do you know of any cases now where there is no overlap between SOA and NS? > > If not, I'd say that this distinction is part of the solution, not > part of the problem; where the info comes from is SOA, where you get it > from is NS. Agreed. > The problem of who signs the NS set is a nasty one anyway. And the need to have it signed is even more clear under this scheme. Ted Hardie