[TriLUG] OT: Router then Firewall

Tanner Lovelace clubjuggler at gmail.com
Mon May 22 18:19:08 EDT 2006


On 5/22/06, Rick DeNatale <rick.denatale at gmail.com> wrote:
> I don't know for sure, but I'm pretty sure that the root name servers
> NEVER answered directly for ANY top level domains.

And, I'm pretty sure they used to, so we're at an impasse
there.

> They are part of
> the mechanism of dns, and have been pretty much policy free for quite
> some time, the matter of how domains are registered and by whom, is a
> matter of policy set by ICANN now, and DOD/Jon Postel at ISC/USC
> before.

Ugh, don't even get started on the disaster known as ICANN (or better
yet, I CAN'T)...

[...]

> Now, I'm not sure what the correct terminology for a second level
> domain like trilug.org is, for want of a better term, let's call it a
> second level domain.  I'd argue that this is what most folks think of
> as a domain, it's what you register with a registrar.

I believe the top level domains are generally known as
"Generic Top Level Domains" and things like trilug.org
were called something else, but "second-level domain"
gets the point across.

> I'm still almost certain, that you can't get the OVERALL internet to
> see the nameserver(s) for your domain without going through your
> registrar*.  Now it's true that you can have third (and perhaps
> higher) level name servers which are only visible because your second
> level name server knows about them, but I'm also pretty sure that this
> whole discussion has been about second level domains.

And I still say you're wrong about this.  Your nameserver
is perfectly free to delegate to whoever you want it to.
You could even, using views or something like that,
set things up so that your slave name servers can get your
entire domain information but anyone else requesting it
gets delegated to the slave name servers.  This is perfectly
valid in the DNS spec.

> * I suppose that it MIGHT be possible through a misconfiguration of
> secondary/slave servers outside of your domain which serve your domain
> to partially advertise a new name server, but this will lead to an
> inconsistent view of your domain to the internet. I guess that this
> might have been what Aaron was hinting about with his "by accident"
> remark.

That's certainly possible too, but by no means the only way.

Cheers,
Tanner
-- 
Tanner Lovelace
clubjuggler at gmail dot com
http://wtl.wayfarer.org/
(fieldless) In fess two roundels in pale, a billet fesswise and an
increscent, all sable.



More information about the TriLUG mailing list