Authoritative Server - Referrals to root
Joe Greco
jgreco at ns.sol.net
Thu Apr 7 21:25:33 UTC 2005
> For security reasons we should not be serving authoritative data if the
> end user does not want it/approve of it. This above domain was one
> example - but it happens quite often on others. A customers dns will
> expire / be terminated / or whatever else and unless they are current
> customers we should not be serving anything for them. Serving
> authoritative data for a customers zone without their permission could
> lead to legal problems (sitefinder revisited).
Just curious, how do you serve authoritative data for a customer's zone
unless you *have* their permission?
A customer can choose to list your nameservers as authoritative for their
zone when they register their domain. You cannot force someone who does
not want to do this to do so.
There is no operational reason that our authoritative nameservers here
cannot think that they're authoritative for, let's say, isc.org. It has
no operational impact on anybody even if we did, because nothing would
ever cause queries for isc.org to be routed to our authoritative
nameservers. That's the difference between a closed-for-abuse customer
and the situation you're painting it as.
On a mildly related note...
Watching with some amusement the raging RFC1918 debate over in NANOG, I'll
even note that our authoritative nameservers claim authority for the
relevant in-addr.arpa zones, plus an artificial TLD aptly named "internal",
and our recursive resolvers are configured with zone stanzas listing
them as type forward; forward only pointing at our authoritatives.
But of course that's how we intend for it all to operate. Tough nuts to
whoever tries to open a new TLD named "internal". :-)
And tough nuts to a customer who gets closed for abuse and then leaves his
DNS pointing somewhere he's no longer welcome.
... JG
--
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.
More information about the bind-users
mailing list