delegation-only can break .name

Aage Strand astrand at gnr.com
Fri Oct 10 14:32:16 UTC 2003 

Dear ISC,

Recently, in response to the introduction of wildcard records for .com and
.net, the ISC added functionality to BIND that modifies some answers given
by name servers to NXDOMAIN responses. It turns out that certain ISPs and
other DNS server operators have not deployed this patch on a
necessity-only basis. As a result, certain services supplied by operators
of TLD servers are experiencing operational issues.

The .name gTLD works by allowing a user to register the address
firstname at lastname.name. Currently, MX records for lastname.name are
issued by the authoritative .name servers. This is part of the original
agreement between the .name operator and ICANN, and can be read here:

http://www.icann.org/tlds/agreements/name/registry-agmt-appc-1-8aug03.htm#d

Anyone who configures the .name zone as delegation-only, or fails to
exclude .name from their root-delegation-only configuration, is currently
blocking email to any address of the type firstname at lastname.name. This
includes ALL people who have registered their .name email-forwarding
address.

We recommend that the root-delegation-only functionality be removed from
future versions of BIND, and that delegation-only functionality be
deployed by DNS operators on a strict necessity-only basis. We suggest
that users be given a clear warning of the possible consequences of using
this configuration, possibly with warnings in the logs and/or warnings on
start-up of BIND.

We kindly ask that the ISC take reasonable measures to inform BIND
operators of the need to exclude the .name gTLD from any delegation only
functionality. Any additional steps that can be taken to inform operators
that have downloaded this specific patch would be much appreciated.

This sample query against the ISC resolving name server clearly
demonstrates the consequences for .NAME customers if ISPs deploy the
delegation-only functionality without excluding the .NAME zone:

$ dig @204.152.184.76 smith.name mx

; <<>> DiG 9.2.1 <<>> @204.152.184.76 smith.name mx
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 63359
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;smith.name.			IN	MX

;; Query time: 2699 msec
;; SERVER: 204.152.184.76#53(204.152.184.76)
;; WHEN: Fri Oct 10 15:29:30 2003
;; MSG SIZE  rcvd: 28



Best Regards,
Aage Strand


-- 
Aage Strand
Development Manager
Global Name Registry Ltd.

Information contained herein is Global Name Registry Proprietary
Information and is made available to you because of your interest in our
company. This information is submitted in confidence and its disclosure 
to you is not intended to constitute public disclosure or authorization 
for disclosure to other parties.

More information about the bind-users mailing list