[Yeti DNS Discuss] Out-of-bailiwick glue in the root zone

Shane Kerr shane at biigroup.cn
Thu Aug 20 04:12:02 UTC 2015


We had a brief discussion about some records in the root zone amongst
the coordinators, but I wanted to ask about it here.

The root zone has a bunch of out-of-bailiwick glue (also called
"optional glue" some places).

Davey found this example (there are many more):

abb.           172800 IN NS   d5.nstld.com.
d5.nstld.com.  172800 IN A

d5.nstld.com is under the .COM domain, and it is not glue for the .COM
domain itself. As I understand it, a careful resolver will ignore
this to avoid possibly corrupting its cache.

So my question is... what is the purpose of these records? Is it just
historical? Or is it an artifact of the IANA zone generation process
where they include these records "just in case"? Or concern about
resolvers that somehow don't get out-of-bailiwick NS records properly
(which really won't work at all)?

There may be a rule about being allowed to use these responses in the
context of resolving a single name, as long as these IP addresses are
not added to a cache... I don't know. The data is not signed by DNSSEC
so I don't see how it can be trusted (an attacker can modify a reply
with a signed ANSWER section and change the ADDITIONAL section freely).

I'm thinking we should run an experiment where the Yeti root servers
use "minimal-responses" or the equivalent to see if it works, and
possibly a follow-up experiment where we actually remove this
unnecessary glue from the Yeti root zone itself... 



More information about the discuss mailing list