Maintained by: NLnet Labs

[Unbound-users] Delegation-only zones and non-root zone RFC 5011?

Viktor Dukhovni
Sun Jan 18 19:15:52 CET 2015

On Sun, Jan 18, 2015 at 12:28:55AM +0100, Florian Weimer wrote:

> > It would be nice if unbound were able to enforce "delegation-only"
> > zones that contain only delegations and glue.  This would be useful
> > for the root zone and various TLDs.  Otherwise, such zones can
> > return apparently valid signed responses that should have been
> > delegated to a child zone, but for some reason were not.
> There are very few strictly-delegation-only zones, and zones change
> there status over time, so this feature seems fairly risky.  The ISC
> recommendations for BIND make recursors subject to denial-of-service
> attacks that prevent name resolution for entire TLDs.

Is the root zone at least compatible with a "delegation-only" policy?
Can you be a bit more specific about the DoS?

I've certainly seen ccTLD zones that are not delegation-only, for
example "" is a CNAME for "".  That clearly is
neither a delegation nor glue, so "li" is not "delegation-only".

Without some constraints on which queries the root, gTLD and ccTLD
can choose to answer rather than delegate, it seems difficult to
make "transparency" work for DNSSEC.  There is likely future work
to be done here...

On Sat, Jan 17, 2015 at 10:08:48PM +0000, Viktor Dukhovni wrote:

> Also, how would one configure unbound to use an auto-trust-anchor-file
> via RFC 5011 for a given gTLD or ccTLD?

Any comment on my second question?  If one enables RFC 5011 tracking
for all the trust anchors one cares about, it is no longer necessary
to worry about delegation-only above those trust anchors.