Maintained by: NLnet Labs

[Unbound-users] Delegation-only zones and non-root zone RFC 5011?

Florian Weimer
Sun Jan 18 00:28:55 CET 2015


* Viktor Dukhovni:

> It would be nice if unbound were able to enforce "delegation-only"
> zones that contain only delegations and glue.  This would be useful
> for the root zone and various TLDs.  Otherwise, such zones can
> return apparently valid signed responses that should have been
> delegated to a child zone, but for some reason were not.

There are very few strictly-delegation-only zones, and zones change
there status over time, so this feature seems fairly risky.  The ISC
recommendations for BIND make recursors subject to denial-of-service
attacks that prevent name resolution for entire TLDs.