Maintained by: NLnet Labs

[Unbound-users] Delegation-only zones and non-root zone RFC 5011?

Tony Finch
Mon Jan 19 11:21:36 CET 2015

Johan Ihrén <johani at> wrote:
> On 18 Jan 2015, at 19:15 , Viktor Dukhovni <ietf-dane at> wrote:
> > On Sun, Jan 18, 2015 at 12:28:55AM +0100, Florian Weimer wrote:
> >>
> >> There are very few strictly-delegation-only zones, and zones change
> >> there status over time, so this feature seems fairly risky.  The ISC
> >> recommendations for BIND make recursors subject to denial-of-service
> >> attacks that prevent name resolution for entire TLDs.

I don't think turning on root-delegation-only has been recommended by the
ISC for years.

> > On Sat, Jan 17, 2015 at 10:08:48PM +0000, Viktor Dukhovni wrote:
> >
> >> Also, how would one configure unbound to use an auto-trust-anchor-file
> >> via RFC 5011 for a given gTLD or ccTLD?
> >
> > Any comment on my second question?  If one enables RFC 5011 tracking
> > for all the trust anchors one cares about, it is no longer necessary
> > to worry about delegation-only above those trust anchors.

I don't know of any zones other than the root which promise to follow the
RFC 5011 key rollover timing requirements. (And even the root zone does it
wrong by not having a standby KSK.)

If you want to use RFC 5011 on a TLD you will have to inspect their
DNSSEC Practice Statement with care.

f.anthony.n.finch  <dot at>
Faeroes, Southeast Iceland: Variable 4 at first except in the west of
Southeast Iceland, otherwise southeasterly veering southerly 5 to 7,
increasing gale 8 for a time, occasionally severe gale 9 until later in
Southeast Iceland. Moderate or rough, becoming very rough or high. Rain or
wintry showers. Moderate or good, occasionally poor.