jm + delegation   1

Chris's Wiki :: blog/sysadmin/UnderstandingIODNSIssue
On the ns-a1.io security screwup for the .io CCTLD:
Using data from glue records instead of looking things up yourself is common but not mandatory, and there are various reasons why a resolver would not do so. Some recursive DNS servers will deliberately try to check glue record information as a security measure; for example, Unbound has the harden-referral-path option (via Tony Finch). Since the original article reported seeing real .io DNS queries being directed to Bryant's DNS server, we know that a decent number of clients were not using the root zone glue records. Probably a lot more clients were still using the glue records, through.


(via Tony Finch)
via:fanf  dns  security  dot-io  cctlds  glue-records  delegation 
july 2017 by jm

Copy this bookmark:



description:


tags: