(also -- bind8 workaround published) Re: delegation-only: Who?

Andris Kalnozols andris at hpl.hp.com
Thu Sep 25 06:25:12 UTC 2003 

> "Jim McAtee" <jmcatee at mediaodyssey.com> writes:
> 
> > Over the past several days I've read a lot of conflicting opinions on which
> > TLDs could/should/can be safely designated as delegation-only.  The list of
> > those zones that should not be so designated seems to be constantly shifting.
> > I've come to the conclusion that we won't be using the "root-delegation-only"
> > option, as I can't make heads nor tails of the statements.
> 
> the current list of what's working for us at ISC will be maintained at the
> 
> 	http://www.isc.org/products/BIND/delegation-only.html
> 
> page, which by the way has just been updated with a rather ugly workaround
> for BIND8 sites.
> 
> > So, I'll use delegation-only zones.  Obviously "com" and "net" will be
> > designated.  What others can safely be designated delegation-only?
> 
> what do you mean by "safely"?  to my mind, .MUSEUM is on the list because
> the wildcard was in its original application, which was approved by icann.
> .US and .DE are on the list because they put customer data (A and MX) into
> the zone itself in order to somehow save the apparent cost of an NS and a
> separate nameserver -- and at the moment, neither one has a wildcard.
> 
> so far no trouble.  if anyone knows of other non-wildcarded tld's who put
> customer data into the tld zone itself, or of other wildcarded tld's whose
> wildcard was approved by icann at the time of application, please let us know.
> 
> tld wildcards serve only the interests of the registry.  the registrars,
> and the registrants, and the querying public, all pay indirect costs and
> only the registry gets any benefit.  i have a caretaker role for .TK and
> it has a wildcard which i think should not be there but i'm not responsible
> for the content or it would be gone by now.  therefore my advice is to not
> exclude the "TK" zone in your root-delegation-only configuration.
> -- 
> Paul Vixie

Just so the list is in one place, here are the TLDs with wildcard RRs.
Besides .MUSEUM, .COM, and .NET, I don't know their status with ICANN.
(the name servers for .HT, .ML, and .TJ are all down/lame at present)

  *.BZ.           IN A      216.220.34.101
  *.CC.           IN A      206.253.214.102
  *.CC.           IN MX     10 snubby.enic.CC.
  *.CN.           IN A      159.226.7.162
  *.COM.          IN A      64.94.110.11
  *.CX.           IN MX     10 mail.nonregistered.nic.CX.
  *.CX.           IN A      219.88.106.80
  *.MUSEUM.       IN A      195.7.77.20
  *.NET.          IN A      64.94.110.11
  *.NU.           IN A      64.55.105.9
  *.NU.           IN A      212.181.91.6
  *.PH.           IN A      203.119.4.6
  *.PW.           IN CNAME  wfb.dnsvr.com.
  *.TD.           IN CNAME  www.nic.TD.
  *.TK.           IN MX     20 NUKUMATAU.TALOHA.COM.
  *.TK.           IN A      217.69.159.151
  *.TK.           IN A      216.38.142.218
  *.TK.           IN A      217.69.159.150
  *.TW.           IN A      203.73.24.11
  *.VA.           IN MX     100 mx.it.net.
  *.VA.           IN MX     20 john.vatican.VA.
  *.VA.           IN MX     30 av.vatican.VA.
  *.WS.           IN A      216.35.187.246
  *.WS.           IN MX     10 mail.worldsite.WS.

Andris Kalnozols

More information about the bind-users mailing list