Paul Vixie wrote:

>>>i'm comfortable with that approach, although i think it's safe to use
>>>it as glue for any NS RR,

>>It is unsafe, because, will give you forged answer for other
>>queries to

> when we last discussed this, i said that no nameserver should hand out
> glue for zones outside its apex, and that if it does hand out such glue
> then it ought not be believed.

As long as glue is used as glue and no other purposes, which is
necessary now, there is no point to avoid any glue information.

> my position hasn't changed. has yours?

You should change your posision now.

BTW, the following senario seemingly require handling of additional
As so that "apex" is not a meaningful concept.

1) an attacker ask a victim nameserver NS of

2) the attacker repeatedly ask a victim nameserver MX of

3) the victim nameserver forward the question to NS of

4) the attacker guess ID and gives false answers with source
address of NS of MX 0

with a additional record of A

That is, except for glue-A, an additional record should be accepted only
if its name exactly matches the query name.

Masataka Ohta

to unsubscribe send a message to with
the word 'unsubscribe' in a single line as the message text body.