Re: Deprecation notice for BIND 9.18: (root-)delegation-only option

Mon, 27 Mar 2023 02:48:09 -0700 

On 22.03.23 17:36, Ondřej Surý wrote:

in line with our deprecation policy, I am notifying the mailing list about our 
intent
to deprecated the delegation-only and root-delegation-only options.  This is 
again
adept for expedited deprecation - it will be removed in BIND 9.20 and deprecated
in BIND 9.18.



On 23. 3. 2023, at 17:57, Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:
what's the reason? Code cleanliness?
Or is it problematic to maintain?


On 23.03.23 19:11, Ondřej Surý wrote:

Those are wrong questions to ask - the right question to ask is whether this 
bring any
value - and the answer is that it doesn't, then it becomes unmaintained and 
untested
cruft.


my question was related to the next one.


The (root-)delegation-options were introduced as a countermeasure for the 
infamous
Site Finder by Verisign[1]. With the controversy around this and introduction 
of DNSSEC,
the likelihood of this happening is infinitesimal.

If you don't even know what those options does, the TL;DR is that it disables
the non-delegation records for configured domains (TLD), this in turns might
break legitimate TLDs like .de, .fr, .museum and others [2][3].

If you know a legitimate reason to keep those options, please describe the use 
case
here or in the issue mention below.


well, if "just for sure no other AH tries that again" is not a reason for you...


No, it will not happen again, at least not at the TLD level. The community has 
learned
and ICANN has learned too.


this is what I wanted to hear.

Unfortunately there are companies that do this for their customers.


If this should happen at any level, what are the possibilities to discard 
such responses?


Use RPZ that will rewrite specific A/AAAA records into NODATA/NXDOMAIN?
We'd need the specific address(es) to rewrite but we could live with that.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
My mind is like a steel trap - rusty and illegal in 37 states.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to