[TriLUG] OT: Router then Firewall

Rick DeNatale rick.denatale at gmail.com
Wed May 24 13:28:30 EDT 2006 

On 5/22/06, Tanner Lovelace <clubjuggler at gmail.com> wrote:
> On 5/22/06, Rick DeNatale <rick.denatale at gmail.com> wrote:

> > Now, I'm not sure what the correct terminology for a second level
> > domain like trilug.org is, for want of a better term, let's call it a
> > second level domain.  I'd argue that this is what most folks think of
> > as a domain, it's what you register with a registrar.
>
> I believe the top level domains are generally known as
> "Generic Top Level Domains" and things like trilug.org
> were called something else, but "second-level domain"
> gets the point across.

Not quite, top level domains are separated into country code tlds
(ccTLDs) like us. ca. to. etc, and generic top level domains (e.g.
com. edu. net. etc).
>
> > I'm still almost certain, that you can't get the OVERALL internet to
> > see the nameserver(s) for your domain without going through your
> > registrar*.  Now it's true that you can have third (and perhaps
> > higher) level name servers which are only visible because your second
> > level name server knows about them, but I'm also pretty sure that this
> > whole discussion has been about second level domains.
>
> And I still say you're wrong about this.  Your nameserver
> is perfectly free to delegate to whoever you want it to.
> You could even, using views or something like that,
> set things up so that your slave name servers can get your
> entire domain information but anyone else requesting it
> gets delegated to the slave name servers.  This is perfectly
> valid in the DNS spec.

I think that this may be a problem with my being unclear.  Let me pick
things apart a tad.

Let's say "Alma Mater University" wants to have a subdomain like
physics.almamater.edu,  it can certainly have a name server which
serves up that dns name space, BUT, the question then becomes, how
does an outsider know about THAT name server,  presumably the name
server for almamater.edu forwards to it, but that name server needs to
be known to the internet hoi polloi and needs to be listed in the
registry database for edu.  I don't see how someone walking  the dns
tree from root will ever get to physics.almater.edu without going
through amater.edu to get there.  Once any cached records expire they
are going to have to climb down (or is it up? <G>) the tree.

Yes you can move subdomain nameservers by just talking to the
containing domain's nameserver operator, and that might well be
yourself, but you can't move the nameserver which represents your
second level domain without changing an entry which isn't under your
direct control.

So moving that nameserver requires communication with the registry
operator via the registrar.

> > * I suppose that it MIGHT be possible through a misconfiguration of
> > secondary/slave servers outside of your domain which serve your domain
> > to partially advertise a new name server, but this will lead to an
> > inconsistent view of your domain to the internet. I guess that this
> > might have been what Aaron was hinting about with his "by accident"
> > remark.
>
> That's certainly possible too, but by no means the only way.

And I'd enjoy hearing about other ways.

-- 
Rick DeNatale

IPMS/USA Region 12 Coordinator
http://ipmsr12.denhaven2.com/

Visit the Project Mercury Wiki Site
http://www.mercuryspacecraft.com/

More information about the TriLUG mailing list