Negative zones; NXDOMAIN responses
Mark Andrews
marka at isc.org
Wed May 22 00:11:10 UTC 2013
In message <519B9008.7040103 at chrysler.com>, Kevin Darcy writes:
>
> Ugh, I'm trying _really_ hard not to be an annoying nitpicker (yeah, I
> know, try harder :-), but...
>
> The relevant verbiage of RFC 6762 is:
>
> Caching DNS servers SHOULD recognize these names as special and
> SHOULD NOT attempt to look up NS records for them, or otherwise
> query authoritative DNS servers in an attempt to resolve these
> names. Instead, caching DNS servers SHOULD generate immediate
> NXDOMAIN responses for all such queries they may receive (from
> misbehaving name resolver libraries). This is to avoid unnecessary
> load on the root name servers and other name servers.
>
> I'm not sure that slaving the root zone (although it is the "simplest
> solution" and undoubtedly _works_) is really compatible with the letter
> or spirit of that verbiage...
>
> - Kevin
And doing that doesn't work if you have a validating stub resolver
as there is no insecure delegation to .local in the root zone.
Synthesis of DNS records is not straight forward in the presence of
DNSSEC.
See RFC 6303 Locally Served DNS Zones for how it needs to be done.
You will note that IANA was tasked with the job of getting insecure
delegations added for all the zones listed.
When you slave the root you do not need a insecure delegation. It is
possible to cryptographically identify when secure delegations have
been tampered with which will cover the majority of the delegations in
the root zone. All new TLDs are required to support DNSSEC.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list