[Unbound-users] Delegation-only zones and non-root zone RFC 5011?

Florian Weimer fw at deneb.enyo.de
Sat Jan 17 23:28:55 UTC 2015

* Viktor Dukhovni:

> It would be nice if unbound were able to enforce "delegation-only"
> zones that contain only delegations and glue.  This would be useful
> for the root zone and various TLDs.  Otherwise, such zones can
> return apparently valid signed responses that should have been
> delegated to a child zone, but for some reason were not.

There are very few strictly-delegation-only zones, and zones change
there status over time, so this feature seems fairly risky.  The ISC
recommendations for BIND make recursors subject to denial-of-service
attacks that prevent name resolution for entire TLDs.

More information about the Unbound-users mailing list