Delegation Only Zones in BIND 9

Starting in Bind 9.2.2P1, there is a new type of zone called delegation-only. It’s designed to counter wild-card records in TLD‘s, such as *.com. This is sometimes called the “Verisign patch” because, while Verisign was not the first TLD operator to create such a wild-card record, their creation of *.com and the SiteFinder service are what prompted ISC to add this new feature to the Bind name server.

what this means is that a site with a wildcard inti can be effectively shutdown.

you add something like the following to named.conf

zone "." { type delegation-only; };
zone "ac" { type delegation-only; };
zone "cc" { type delegation-only; };
zone "com" { type delegation-only; };
zone "cx" { type delegation-only; };
zone "mp" { type delegation-only; };
zone "museum" { type delegation-only; };
zone "net" { type delegation-only; };
zone "nu" { type delegation-only; };
zone "ph" { type delegation-only; };
zone "pw" { type delegation-only; };
zone "sh" { type delegation-only; };
zone "td" { type delegation-only; };
zone "tk" { type delegation-only; };
zone "tm" { type delegation-only; };
zone "ws" { type delegation-only; };

before – a random lookup for a non existent host.domain provides a  legitimate IP address when it should have been NXDOMAIN

$ dig wwpfowerewrewr234dsew-0.sitefinder.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc15 <<>> wwpfowerewrewr234dsew-0.sitefinder.com
 ;; global options: +cmd
 ;; Got answer:
 ;; ->>HEADER< ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
 ;wwpfowerewrewr234dsew-0.sitefinder.com. IN A

;; ANSWER SECTION:
 wwpfowerewrewr234dsew-0.sitefinder.com. 3600 IN A 208.73.210.29

;; AUTHORITY SECTION:
 sitefinder.com. 172791 IN NS ns2.dsredirection.com.
 sitefinder.com. 172791 IN NS ns1.dsredirection.com.

;; ADDITIONAL SECTION:
 ns1.dsredirection.com. 172791 IN A 204.13.160.145
 ns2.dsredirection.com. 172791 IN A 204.13.161.145

;; Query time: 1088 msec
 ;; SERVER: 127.0.0.1#53(127.0.0.1)
 ;; WHEN: Fri Apr 6 23:52:54 2012
 ;; MSG SIZE rcvd: 154

After – the same query returns NXDOMAIN

$ dig wwpfowerewrewr234dsew-0.sitefinder.com 

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc15 <<>> wwpfowerewrewr234dsew-0.sitefinder.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 56632
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;wwpfowerewrewr234dsew-0.sitefinder.com.	IN A

;; Query time: 1768 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr  6 23:5

As a test, I also added

zone "sitefinder.com" { type delegation-only; };

This effectively black-holes the sitefinder.com domain.


Leave a Reply