reply for reserved TLD's

Tony Finch dot at dotat.at
Tue Oct 27 14:54:18 UTC 2020


Sonic via Unbound-users <unbound-users at lists.nlnetlabs.nl> wrote:
>
> What is considered the best reply from a local cache to avoid traffic
> to the root servers for domains that are reserved (for local use etc.,
> such as .home, .corp) or those you wish to block?

It depends (TM).

RFC 6761 explains how special-use domain names are registered, and part of
each registration is a description of how various kinds of DNS software
should handle the special name. So in many cases you can consult the IANA
registry for pointers to RFCs that say how your server should work.

https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml

I used to have a fairly elaborate configuration that returned NXDOMAIN for
lots of special-use domains, but I dropped all that rubbish when RFC 8198
NSEC negative answer synthesis became a thing. A locally-served root zone
gets you some of the same benefits.

NXDOMAIN is generally safer than REFUSED because there's less risk of
provoking clients to make useless retries.

There's one complication that I know of: RFC 6762 says that recursive
servers should reply with NXDOMAIN for .local, but Avahi (a Linux
implementation of mDNS) tries to work out if .local is a real zone and if
so it stops doing mDNS, which is not nice when it is an unexpected
side-effect! If unbound's always_nxdomain returns NXDOMAIN for everything
_including_ the local-zone's apex (i.e. .local itself must be NXDOMAIN)
then you will be OK. (I can't tell from the docs if this is the case.)

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Faeroes: Easterly 5 to 7, occasionally gale 8 in west. Moderate or rough,
becoming very rough or high later. Rain. Good, occasionally moderate.


More information about the Unbound-users mailing list