[TriLUG] OT: Router then Firewall

Aaron S. Joyner aaron at joyner.ws
Wed May 24 10:33:56 EDT 2006 

Tanner Lovelace wrote:

> On 5/22/06, Rick DeNatale <rick.denatale at gmail.com> wrote:
>
>> I don't know for sure, but I'm pretty sure that the root name servers
>> NEVER answered directly for ANY top level domains.
>
>
> And, I'm pretty sure they used to, so we're at an impasse
> there.
>
>> They are part of
>> the mechanism of dns, and have been pretty much policy free for quite
>> some time, the matter of how domains are registered and by whom, is a
>> matter of policy set by ICANN now, and DOD/Jon Postel at ISC/USC
>> before.
>
>
> Ugh, don't even get started on the disaster known as ICANN (or better
> yet, I CAN'T)...
>
> [...]
>
>> Now, I'm not sure what the correct terminology for a second level
>> domain like trilug.org is, for want of a better term, let's call it a
>> second level domain.  I'd argue that this is what most folks think of
>> as a domain, it's what you register with a registrar.
>
>
> I believe the top level domains are generally known as
> "Generic Top Level Domains" and things like trilug.org
> were called something else, but "second-level domain"
> gets the point across.
>
>> I'm still almost certain, that you can't get the OVERALL internet to
>> see the nameserver(s) for your domain without going through your
>> registrar*.  Now it's true that you can have third (and perhaps
>> higher) level name servers which are only visible because your second
>> level name server knows about them, but I'm also pretty sure that this
>> whole discussion has been about second level domains.
>
>
> And I still say you're wrong about this.  Your nameserver
> is perfectly free to delegate to whoever you want it to.
> You could even, using views or something like that,
> set things up so that your slave name servers can get your
> entire domain information but anyone else requesting it
> gets delegated to the slave name servers.  This is perfectly
> valid in the DNS spec.
>
>> * I suppose that it MIGHT be possible through a misconfiguration of
>> secondary/slave servers outside of your domain which serve your domain
>> to partially advertise a new name server, but this will lead to an
>> inconsistent view of your domain to the internet. I guess that this
>> might have been what Aaron was hinting about with his "by accident"
>> remark.
>
>
> That's certainly possible too, but by no means the only way.
>
> Cheers,
> Tanner

Ah finally some good back and forth discussion.  :)  The fastest way to 
get the right answer, is for someone to post the wrong one.  I'm glad 
you two have finally worked around to a mostly correct solution, thanks 
much to Rick for informative input as well.  There are still a few loose 
ends, so I'll tidy up and post my thoughts when I have some more time 
(after huge presentation I've been preparing for this morning, PST).

Aaron S. Joyner

More information about the TriLUG mailing list