[plug] Q for the DNS gurus
Bernard Blackham
bernard at blackham.com.au
Sat Apr 9 12:32:13 WST 2005
On Sat, Apr 09, 2005 at 08:35:15AM +0800, William Kenworthy wrote:
> I have just upgraded bind and see that gentoo recommends adding some
> lines to named.conf to avoid the verisign A wildcard
>
> * zone com IN { type delegation-only; };
> * zone net IN { type delegation-only; };
>
> Are these additions necessary in my configuration, if not, when should
> the above be used. I use bind as a pure caching DNS on a laptop, and
> with some local zones added at home.
They make sure that the .com and .net domain name servers only
delegate to other servers, and do not return A records. This was
spawned back when last year VeriSign decided that they would make a
global wildcard A record for any domain name that did not exist, and
point it at one of their servers.
There was much uproar, as it broke the internet in many ways, so the
BIND team added that option to bind which meant your DNS server
would not allow top-level DNS servers to return addresses. Whilst
VeriSign have pulled the global wildcard records, if everybody has
that option in place, it means nobody can pull the same stunt
again (at least on .com and .net) ...
Bernard.
--
Bernard Blackham <bernard at blackham dot com dot au>
More information about the plug
mailing list