ISC BIND BIND9 delegation-only Feature

Document last updated: October 23, 2003

delegation-only

In response to high demand from our users, ISC has added to BIND9 support for the declaration of "delegation-only" zones in caching/recursive name servers. Briefly, a zone which has been declared delegation-only will be effectively limited to containing NS RRs for subdomains, but no actual data beyond its own apex (for example, its SOA RR and apex NS RRset). This can be used to filter out "wildcard" or "synthesized" data from NAT boxes or from authoritative name servers whose undelegated (in-zone) data is of no interest.

Example: 

zone "FOO" { type delegation-only; };
zone "BAR" { type delegation-only; };

root-delegation-only

Additionally, because many of our users are uncomfortable receiving undelegated answers from root or top level domains at all, other than a few for whom that behaviour has been trusted and expected for quite some length of time, we have now introduced starting with 9.2.3rc3 the root-delegations-only feature which applies delegation-only logic to all top level domains, and to the root domain. An exception list should be specified, including those listed in the example listed below (which is used on ISC's own resolvers), and any other top level domains from whom undelegated responses are expected and trusted.

Example: 

options {
     root-delegation-only exclude { "ad"; "af"; "ar"; "biz"; "cr"; "cu"; "de"; "dm"; "fr"; 
				    "id"; "lu"; "lv"; "md"; "ms"; "museum"; "name"; "no";
				    "pa"; "pf"; "re"; "se"; "sr"; "to"; "tw"; "us"; "uy"; };
};

Older Releases

There is no support for "delegation only" zones in older releases. However, there is a workaround for late-model BIND8 if your need is very great, in the form of "per-zone forwarding" and ISC's public recursive servers, or any other BIND9 server which is has the "root-delegation-only" feature enabled. If you chose to use ISC's public recursive servers for top-level domains .FOO and .BAR, your configuration file would have the following elements: 
zone "FOO" { type forward; forward first; forwarders { 204.152.184.76; }; };
zone "BAR" { type forward; forward first; forwarders { 204.152.184.76; }; };
(If you can use IPv6 instead, please use 2001:4f8:0:2::14 rather than the IPv4 204.152.184.76 address shown above.)

(If you can possibly find a closer server, or run one yourself, you should.)

Naturally you should pay close attention to your performance and network load when making changes of this kind. ISC expresses no warranty whatsoever as to the usefulness of its public recursive nameservers for any particular purpose.