Authoritative Server - Referrals to root
Jim Reid
jim at rfc1035.com
Fri Apr 8 09:03:52 UTC 2005
On Apr 8, 2005, at 02:26, Joe Greco wrote:
>>> Watching with some amusement the raging RFC1918 debate over in NANOG,
>>> I'll even note that our authoritative nameservers claim authority
>>> for the
>>> relevant in-addr.arpa zones, plus an artificial TLD aptly named
>>> "internal",
>>> and our recursive resolvers are configured with zone stanzas listing
>>> them as type forward; forward only pointing at our authoritatives.
>>>
>>> But of course that's how we intend for it all to operate. Tough
>>> nuts to
>>> whoever tries to open a new TLD named "internal". :-)
>>
>> Nope. It'll be tough nuts for you and your users if the TLD "internal"
>> gets created one day.
>
> Not really. Use your head.
Let's see if I have. You've rigged your local network so that it knows
about this artificial TLD called internal. All your local users will
get directed to the local name servers that answer for this bogus TLD.
So far, so good. One day ICANN, in its infinite wisdom, creates a new
TLD called internal. This goes in the root zone so all of the internet
can resolve this domain. Except your local users. They get pointed at
your bogus version of this zone because that's where the local name
servers are told to send their queries for this zone.
Suppose a local user looks up foo.internal. How is anything supposed to
know if that's a query for foo.internal on the internet or foo.internal
in your private world? What if the name exists in one and not the
other? How are your name servers going to know what answer to return?
Do they respond with what's in this bogus TLD and perhaps give the
wrong answer? Or do they respond with what's in the real TLD and
perhaps give the wrong answer?
Now suppose www.foo.internal exists in both places, but with different
data. Which web site does the local user want to visit? How will your
local name servers know that? Where would these problems arise and
where would they need to be addressed? Hint: it's not the rest of the
internet or those places using the real .internal TLD.
The rest of the internet knows nothing about your bogus TLD and cares
even less. So they resolve the real .internal TLD, no problem. The same
goes for the operator of that TLD. Who's got the problem because of
your bogus TLD? Hint: it's not the real TLD operator or the rest of the
internet.
If there's something I've overlooked, please tell us.
More information about the bind-users
mailing list