Maintained by: NLnet Labs

[Unbound-users] Delegation-only zones and non-root zone RFC 5011?

Florian Weimer
Tue Jan 20 20:35:04 CET 2015

* Viktor Dukhovni:

> On Sun, Jan 18, 2015 at 12:28:55AM +0100, Florian Weimer wrote:
>> > It would be nice if unbound were able to enforce "delegation-only"
>> > zones that contain only delegations and glue.  This would be useful
>> > for the root zone and various TLDs.  Otherwise, such zones can
>> > return apparently valid signed responses that should have been
>> > delegated to a child zone, but for some reason were not.
>> There are very few strictly-delegation-only zones, and zones change
>> there status over time, so this feature seems fairly risky.  The ISC
>> recommendations for BIND make recursors subject to denial-of-service
>> attacks that prevent name resolution for entire TLDs.
> Is the root zone at least compatible with a "delegation-only" policy?
> Can you be a bit more specific about the DoS?

A zone did not delegate its name servers.  If you queried for their
addresses using a regular client, subsequent cache misses from the
zone would result in error responses because BIND could not find any
valid name servers anymore.

There's also the question of further protocol development which might
introduce additional authoritative records such as DNSKEY (but IIRC,
BIND only applies the filter to A/AAAA queries).