To:
dnsop@cafax.se
From:
Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Date:
Thu, 18 Sep 2003 12:13:54 +0859 ()
Sender:
owner-dnsop@cafax.se
Subject:
delegation-only ineffective
It is rather an oprational than a protocol issue, I'm posting to DNSOP. At http://www.isc.org/products/BIND/delegation-only.html it is stated that: In response to high demand from our users, ISC is releasing a patch for BIND to support the declaration of "delegation-only" zones in caching/recursive name servers. Briefly, a zone which has been declared "delegation-only" will be effectively limited to containing NS RRs for subdomains, but no actual data outside its apex (for example, its SOA RR and apex NS RRset). This can be used to filter out "wildcard" or "synthesized" data from NAT boxes or from authoritative name servers whose undelegated (in-zone) data is of no interest. However, it is ineffective as a protection against synthesized NS and synthesized child zone contents from NAT boxes or from authoritative name servers whose undelegated (in-zone) data is of no interest. As for wildcarding, you can argue that synthesis is more evil than wildcarding. However those who put undesired wildcard do not mind and will perform equivalently effective undesired systhesis. Masataka Ohta #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.