Authoritative Server - Referrals to root

Jim Reid jim at rfc1035.com
Fri Apr 8 09:03:52 UTC 2005 

On Apr 8, 2005, at 02:26, Joe Greco wrote:

>>> Watching with some amusement the raging RFC1918 debate over in NANOG,
>>> I'll even note that our authoritative nameservers claim authority 
>>> for the
>>> relevant in-addr.arpa zones, plus an artificial TLD aptly named  
>>> "internal",
>>> and our recursive resolvers are configured with zone stanzas listing
>>> them as type forward; forward only pointing at our authoritatives.
>>>
>>> But of course that's how we intend for it all to operate.  Tough 
>>> nuts to
>>> whoever tries to open a new TLD named "internal".  :-)
>>
>> Nope. It'll be tough nuts for you and your users if the TLD "internal"
>> gets created one day.
>
> Not really.  Use your head.

Let's see if I have. You've rigged your local network so that it knows 
about this artificial TLD called internal. All your local users will 
get directed to the local name servers that answer for this bogus TLD. 
So far, so good. One day ICANN, in its infinite wisdom, creates a new 
TLD called internal. This goes in the root zone so all of the internet 
can resolve this domain. Except your local users. They get pointed at 
your bogus version of this zone because that's where the local name 
servers are told to send their queries for this zone.

Suppose a local user looks up foo.internal. How is anything supposed to 
know if that's a query for foo.internal on the internet or foo.internal 
in your private world? What if the name exists in one and not the 
other? How are your name servers going to know what answer to return? 
Do they respond with what's in this bogus TLD and perhaps give the 
wrong answer? Or do they respond with what's in the real TLD and 
perhaps give the wrong answer?
Now suppose www.foo.internal exists in both places, but with different 
data. Which web site does the local user want to visit? How will your 
local name servers know that? Where would these problems arise and 
where would they need to be addressed? Hint: it's not the rest of the 
internet or those places using the real .internal TLD.

The rest of the internet knows nothing about your bogus TLD and cares 
even less. So they resolve the real .internal TLD, no problem. The same 
goes for the operator of that TLD. Who's got the problem because of 
your bogus TLD? Hint: it's not the real TLD operator or the rest of the 
internet.

If there's something I've overlooked, please tell us.

More information about the bind-users mailing list