NXDOMAIN redirection in BIND 9.9
Michael Graff
mgraff at isc.org
Thu Sep 29 21:52:10 UTC 2011
On Sep 29, 2011, at 4:06 PM, Bill Owens wrote:
> I've obviously been asleep and not following along with the announcements of new features in BIND 9.9 until today
I'm happy you read it, and hope to see you at the forum/customer webinar next week! I'll be speaking, and will bring my fireproof undies.
> . . . both Evan's blog post <http://www.isc.org/community/blog/201109/isc-bind-990a1-feature-preview> and the announcement of next week's webinar include NXDOMAIN redirection as the first new feature. I'm really surprised by that - is this something that BIND users were clamoring for?
Yes.
> Or is it a situation where other servers were providing this feature, and BIND needed it to maintain parity?
Yes.
> Obviously those of us who find this idea disturbing don't need to enable it, and DNSSEC provides an effective defense against those who would enable it* but it still leaves me curious.
We came to the conclusion that no matter how much we wanted it to not be true, people find a way to do NXDOMAIN if they want to. The issue is not ours to push, it's between the ISP and the customer ultimately, and people will do it -- and more intrusively -- than BIND 9.9 will.
> *except that perhaps those who enable this feature will use it as an excuse to avoid enabling validation, which would be a very bad result, IMO. . .
That's perhaps the case, but once again, it's up to the ISP ultimately. Don't think that just because BIND 9 didn't do this before, that people didn't. They instead use a proxy which filters answers, for instance, and returns whatever they want to the customer.
--Michael
More information about the bind-users
mailing list