@Habbie

Because I'm a DNS implementor too.

The main people to have adopted that are the people who were already doing things its way.

Microsoft didn't back then, & still does not now. #djbdns, likewise. MaraDNS, likewise.

Of the 3, MaraDNS is the one that specifically calls out that there is a difference in its doco, although the other 2 document the different ways that they do wildcards.

I was pointing this out when it was still a draft.

https://groups.google.com/g/comp.protocols.dns.bind/c/yfgFVyU95rA/m/Fy69mSzL1j0J

@ska
#DomainNameSystem

@BastilleBSD

So you're not interested in those who go the whole hog and run their own private root content DNS servers. (-:

http://jdebp.info/Softwares/djbwares/guide/dns-private-root.html

#DomainNameSystem #djbwares

@ska

Don't fall into the trap of treating RFC4592 as a spec.

It's still a proposed standard, and there's a *lot* of stuff in the DNS RFC world that seems like a spec, until one hits the real world and finds that it's a decade-or-more wild goose chase that the RFCs don't tell you has failed to take off.

https://news.ycombinator.com/item?id=44320497

The reality is that RFC4592 didn't take off, either. *No-one* has adopted it that wasn't the implementation that it sought to ossify.

#DomainNameSystem

@ska

No, I'm not mixing things. I was there. I was there when the wildcard draft was made, trying to point out various problems in it, 2 years before publication. I was also there doing the user support, and I can tell you from a lot of actual experience with end users and this stuff that you are quite wrong.

Wildcards were one of the things that users asked about, over and over. BIND wasn't intuitive. Indeed people are still saying so on StackExchage 20 years later.

#DomainNameSystem

@ska

I hope not, if working like #djbdns is the goal.

RFC4592 has a tree-structure model of domain name existence that prevents wildcards from working in some cases in a way that the djbdns table-structure model does not prevent.

Using the RFC4592 example:

When one does an MX lookup for _telnet._tcp.example. or ghost.*.example. it returns a non-empty record set because of the @ wildcard at *.example. .

In the RFC4592 model, the *.example. wildcard does not get applied.

#DomainNameSystem

@cks

Yes, no surprises here. People are definitely still scraping DNS content for attacks. I regularly get services being requested for domain names that only appear at all for the sake of NS resource records.

#DomainNameSystem

@cks @lanodan

Missing from @drscriptt 's list are AAAA, HTTPS, and SVCB records.

AAAA has plenty of obvious choices.

You'll know the . convention for SRV, SVCB, and MX resource record sets, of course.

I shall just drop in my personal experience from earlier this year that an accidentally supplied HTTPS resource record can *definitely* break WWW traffic; because browsers in practice do not obey RFC9460 §2.4.2.

#djbdns
#DomainNameSystem
#SplitHorizon
#ReservedSuperDomains #DNS #HTTPS #SVCB

@cks @lanodan @drscriptt

There are actually quite a few, nowadays. See RFCs 6762, 7686, and 8375.

example. is not the worst choice, although you could have gone with test. or internal. or intranet. .

Given your objective, any of the further ones that imply a residence or a corporation seem less well suited.

Although home.arpa.'s public delegation to the blackhole-{1,2}.iana.org. names is re-used.

https://github.com/jdebp/nosh/blob/trunk/source/examples/tinydns/split-horizon#L96

#djbdns #DomainNameSystem #SplitHorizon #ReservedSuperDomains #DNS