It is rather an oprational than a protocol issue, I'm posting
to DNSOP.
At
http://www.isc.org/products/BIND/delegation-only.html
it is stated that:
In response to high demand from our users, ISC is releasing
a patch for BIND to support the declaration of "delegation-only"
zones in caching/recursive name servers. Briefly, a zone which
has been declared "delegation-only" will be effectively limited
to containing NS RRs for subdomains, but no actual data outside
its apex (for example, its SOA RR and apex NS RRset). This can
be used to filter out "wildcard" or "synthesized" data from NAT
boxes or from authoritative name servers whose undelegated
(in-zone) data is of no interest.
However, it is ineffective as a protection against synthesized NS
and synthesized child zone contents from NAT boxes or from authoritative
name servers whose undelegated (in-zone) data is of no interest.
As for wildcarding, you can argue that synthesis is more evil than
wildcarding. However those who put undesired wildcard do not mind
and will perform equivalently effective undesired systhesis.
Masataka Ohta
#----------------------------------------------------------------------
# To unsubscribe, send a message to <[EMAIL PROTECTED]>.
