[Yeti DNS Discuss] Yeti root servers that are authoritative for other domains

Shane Kerr shane at biigroup.cn
Thu Jun 16 12:47:50 UTC 2016


Hello,

I am testing a program I wrote to compare IANA root server answers with
Yeti root server answers. (It's not quite ready for general use I
think, but it seems basically functional.)

One difference that I have found is that at least one Yeti root server
is authoritative for other zones besides root. This means that if you
send a query to that server it will answer authoritatively, instead of
with a delegation.

So, if you are looking for "fromitz.nl" you might get an answer, instead
of a referral to the NL servers. This only happens from some Yeti root
servers.

While this is not a protocol violation, it means that some Yeti servers
give different answers to the same question.

Should we do anything about this?

* We can declare this a bad idea, and ask operators to fix this
  configuration.

* We can decide that this is okay, since (as I say) the protocol is not
  violated. (This will show up as differences from what the IANA root
  servers respond, but the answers that a recursive resolver will
  arrive at are identical.)

* We can allow it but be nervous... perhaps requiring a statement from
  the operator saying "it's okay, I know what I'm doing", or perhaps
  requiring DNSSEC, or... ?

Note that the IANA root servers kind of operate in this way today, as
the A-F root servers are authoritative for IN-ADDR.ARPA and IP6.ARPA,
but the rest are not. (I say "kind of" since those ARPA domains are
delegation-only.)

Cheers,

--
Shane



More information about the discuss mailing list