[Unbound-users] Delegation-only zones and non-root zone RFC 5011?
Florian Weimer
fw at deneb.enyo.de
Sat Jan 17 23:28:55 UTC 2015
* Viktor Dukhovni:
> It would be nice if unbound were able to enforce "delegation-only"
> zones that contain only delegations and glue. This would be useful
> for the root zone and various TLDs. Otherwise, such zones can
> return apparently valid signed responses that should have been
> delegated to a child zone, but for some reason were not.
There are very few strictly-delegation-only zones, and zones change
there status over time, so this feature seems fairly risky. The ISC
recommendations for BIND make recursors subject to denial-of-service
attacks that prevent name resolution for entire TLDs.
More information about the Unbound-users
mailing list