Re: [TriLUG] OT: Router then Firewall

Wed, 24 May 2006 07:34:09 -0700 

Tanner Lovelace wrote:


On 5/22/06, Rick DeNatale <[EMAIL PROTECTED]> wrote:


I don't know for sure, but I'm pretty sure that the root name servers
NEVER answered directly for ANY top level domains.



And, I'm pretty sure they used to, so we're at an impasse
there.


They are part of
the mechanism of dns, and have been pretty much policy free for quite
some time, the matter of how domains are registered and by whom, is a
matter of policy set by ICANN now, and DOD/Jon Postel at ISC/USC
before.



Ugh, don't even get started on the disaster known as ICANN (or better
yet, I CAN'T)...

[...]


Now, I'm not sure what the correct terminology for a second level
domain like trilug.org is, for want of a better term, let's call it a
second level domain.  I'd argue that this is what most folks think of
as a domain, it's what you register with a registrar.



I believe the top level domains are generally known as
"Generic Top Level Domains" and things like trilug.org
were called something else, but "second-level domain"
gets the point across.


I'm still almost certain, that you can't get the OVERALL internet to
see the nameserver(s) for your domain without going through your
registrar*.  Now it's true that you can have third (and perhaps
higher) level name servers which are only visible because your second
level name server knows about them, but I'm also pretty sure that this
whole discussion has been about second level domains.



And I still say you're wrong about this.  Your nameserver
is perfectly free to delegate to whoever you want it to.
You could even, using views or something like that,
set things up so that your slave name servers can get your
entire domain information but anyone else requesting it
gets delegated to the slave name servers.  This is perfectly
valid in the DNS spec.


* I suppose that it MIGHT be possible through a misconfiguration of
secondary/slave servers outside of your domain which serve your domain
to partially advertise a new name server, but this will lead to an
inconsistent view of your domain to the internet. I guess that this
might have been what Aaron was hinting about with his "by accident"
remark.



That's certainly possible too, but by no means the only way.

Cheers,
Tanner
Ah finally some good back and forth discussion. :) The fastest way to get the right answer, is for someone to post the wrong one. I'm glad you two have finally worked around to a mostly correct solution, thanks much to Rick for informative input as well. There are still a few loose ends, so I'll tidy up and post my thoughts when I have some more time (after huge presentation I've been preparing for this morning, PST). 

Aaron S. Joyner
--
TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ  : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/

Reply via email to