Deprecation notice for BIND 9.18: (root-)delegation-only option

Mon Mar 27 09:47:15 UTC 2023

>> On 22.03.23 17:36, Ondřej Surý wrote:
>>> in line with our deprecation policy, I am notifying the mailing list about our intent
>>> to deprecated the delegation-only and root-delegation-only options.  This is again
>>> adept for expedited deprecation - it will be removed in BIND 9.20 and deprecated
>>> in BIND 9.18.

>> On 23. 3. 2023, at 17:57, Matus UHLAR - fantomas <uhlar at fantomas.sk> wrote:
>> what's the reason? Code cleanliness?
>> Or is it problematic to maintain?

On 23.03.23 19:11, Ondřej Surý wrote:
>Those are wrong questions to ask - the right question to ask is whether this bring any
>value - and the answer is that it doesn't, then it becomes unmaintained and untested
>cruft.

my question was related to the next one.

>>> The (root-)delegation-options were introduced as a countermeasure for the infamous
>>> Site Finder by Verisign[1]. With the controversy around this and introduction of DNSSEC,
>>> the likelihood of this happening is infinitesimal.
>>>
>>> If you don't even know what those options does, the TL;DR is that it disables
>>> the non-delegation records for configured domains (TLD), this in turns might
>>> break legitimate TLDs like .de, .fr, .museum and others [2][3].
>>>
>>> If you know a legitimate reason to keep those options, please describe the use case
>>> here or in the issue mention below.
>>
>> well, if "just for sure no other AH tries that again" is not a reason for you...
>
>No, it will not happen again, at least not at the TLD level. The community has learned
>and ICANN has learned too.

this is what I wanted to hear.

Unfortunately there are companies that do this for their customers.

If this should happen at any level, what are the possibilities to discard 
such responses?

Use RPZ that will rewrite specific A/AAAA records into NODATA/NXDOMAIN?
We'd need the specific address(es) to rewrite but we could live with that.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
My mind is like a steel trap - rusty and illegal in 37 states.