ISC BIND delegation-only Feature

delegation-only

In response to high demand from our users, ISC has added to BIND9 support for the declaration of "delegation-only" zones in caching/recursive name servers. Briefly, a zone which has been declared delegation-only will be effectively limited to containing NS RRs for subdomains, but no actual data beyond its own apex (for example, its SOA RR and apex NS RRset). This can be used to filter out "wildcard" or "synthesized" data from NAT boxes or for authoritative name servers whose undelegated (in-zone) data is of no interest.

Example:

zone "FOO" { type delegation-only; };
zone "BAR" { type delegation-only; };

root-delegation-only

Additionally, because many of our users are uncomfortable receiving undelegated answers from root or top level domains at all, other than a few for whom that behaviour has been trusted and expected for quite some length of time, we have now introduced starting with 9.2.3rc3 the root-delegations-only feature which applies delegation-only logic to all top level domains, and to
the root domain. An exception list should be specified, including those listed in the example listed below (which is used on ISC's own resolvers), and any other top level domains from whom undelegated responses are expected and trusted.

Example:

options {
     root-delegation-only exclude { "ad"; "af"; "ar"; "biz";
          "ch"; "cr"; "cu"; "de"; "dm"; "fi";
          "fr"; "gu"; "id"; "il"; "li"; "lu";
          "lv"; "md"; "mp"; "ms"; "museum"; "name";
          "nf"; "no"; "pa"; "pf"; "pl"; "pro";
          "re"; "se"; "sr"; "tel"; "to"; "tw";
          "us"; "uy"; "uz"; };
};

Naturally you should pay close attention to your performance and network load when making changes of this kind. ISC expresses no warranty whatsoever as to the usefulness of its public recursive nameservers for any particular purpose.