the "." zone

[the confused]

In 291382, the following is listed as one of the common
mistakes that is made when administrators set up DNS on
network that contains a single Windows 2000 or Windows
Server 2003 domain controller:

The "." zone exists under forward lookup zones in DNS.

What does this mean? I thought this "." zone is set up in
the forward lookup zones by default, when needing a
separate name space.

Or, the "." zone was set up by default there, regardless
whether you need a separate space or not, in a early MS
DNS (heard this' a before 2003 feature)?

In addition, if it should be there by default for a
saparate name space, I would think it should be a level
up, i.e., both of the foward and reverse zones should be
under the "." domain, not that the "." zone being under
forward zones, and including both forward domains/zones
and reverse domains. I think this way would make more
sense, if MS wants to list separately the forward and
reverse zones.

Anyone can shed some light on this? Thanks!

 

[Deji Akomolafe]

It was a "mistake" MS assumed that we all want to use our DNS server in a
fotress (or an Island), so they automatically configure a Win2K server to be
a root server. In the root mode, the server believes that it is the "end of
the world" and any record it does not currently have does not exist. So, in
this mode, when the server receives a query for www.sendasalami.com, it
looks at itself (ONLY) and goes, "hmmmm.. nothing here. Sorry. Don't exist".
It never attempts to ask the people who would really know about salamis and
other food stuffs (in this case, the REAL Root servers).

MS heard about this from many sources and they realized that there aren't
that not that many people have their own Island, so they fixed it in Win2K3.

So, the long and short of the story: In Win2K DNS, you will see a "." zone.
Unless you really run this network in isolation from the rest of the world
and you, therefore, have no need to resolve external records, ALWAYS delete
this "." zone and move on.
--
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

 

[the confused]

thanks Deji!

ok, it is a mistake! ;-)

It's probably a DC and AD thing. I don't remember
whether it was there when I set up my first DC. It was a
long time ago. But when I setup this DNS member server,
a "." zone was not there.

Any thoughts on where a "." domain should be?

-----Original Message-----
It was a "mistake" MS assumed that we all want to use our DNS server in a
fotress (or an Island), so they automatically configure a Win2K server to be
a root server. In the root mode, the server believes that it is the "end of
the world" and any record it does not currently have does not exist. So, in
this mode, when the server receives a query for

www.sendasalami.com, it

 

[Deji Akomolafe]

Any thoughts on where a "." domain should be?

In the Garbage Can, or anywhere else very far away from your DNS server


Remember what I said.....

Unless you really run this network in isolation from the rest of the world

and you, therefore, have no need to resolve external records, ALWAYS delete
this "." zone and move on.

--
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
thanks Deji!

ok, it is a mistake! ;-)

It's probably a DC and AD thing. I don't remember
whether it was there when I set up my first DC. It was a
long time ago. But when I setup this DNS member server,
a "." zone was not there.

Any thoughts on where a "." domain should be?

-----Original Message-----
It was a "mistake" MS assumed that we all want to use our DNS server in a
fotress (or an Island), so they automatically configure a Win2K server to be
a root server. In the root mode, the server believes that it is the "end of
the world" and any record it does not currently have does not exist. So, in
this mode, when the server receives a query for

www.sendasalami.com, it

 

[the confused]

hah,hah! sure in case that it doesn't apply.

however, if you do need to set up one, where it should
be, in the Forward Zones, or a level above the Forward
Zones and Reverse Zones?

Currently, it is part of the forward zone, but I don't
think this makes a lot sense...

 

[Herb Martin]

Almost no one needs a "." internal zone. It is a shame that is is/was
created by default with NO WARNING.

Only those with complex internal trees of domains/zones are likely to need
this and then they will likely have the skill and experience to deal with it
and to figure out a method for also resolving the public Internet namespace
as well (a non-trivial problem.)

 

[Kevin D. Goodknecht [MVP]]

In

In 291382, the following is listed as one of the common
mistakes that is made when administrators set up DNS on
network that contains a single Windows 2000 or Windows
Server 2003 domain controller:

The "." zone exists under forward lookup zones in DNS.

What does this mean? I thought this "." zone is set up in
the forward lookup zones by default, when needing a
separate name space.

Or, the "." zone was set up by default there, regardless
whether you need a separate space or not, in a early MS
DNS (heard this' a before 2003 feature)?

In addition, if it should be there by default for a
saparate name space, I would think it should be a level
up, i.e., both of the foward and reverse zones should be
under the "." domain, not that the "." zone being under
forward zones, and including both forward domains/zones
and reverse domains. I think this way would make more
sense, if MS wants to list separately the forward and
reverse zones.

Anyone can shed some light on this? Thanks!

You can have an internal root (the ".") if it is properly delegated to the
Root you wish to resolve. All three of my DNS servers have a Root zone that
is delegated to the ORSC root.
The root hints on MS DNS use the ICANN root.
http://support.open-rsc.org/root_cache/

 

[the confused]

Kevin, thanks for the response..

not really sure what you mean by delegating a "." zone.
To resolve names in a different name space, you don't use
a forwarder or a hint file (in this case, both directing
to the ORSC root servers)?

 

[Kevin Goodknecht [MVP]]

In

Kevin, thanks for the response..

not really sure what you mean by delegating a "." zone.
To resolve names in a different name space, you don't use
a forwarder or a hint file (in this case, both directing
to the ORSC root servers)?

A delegated root zone is one that has the delegations for the gTLD servers.
The ORSC root has several hundred delegations ranging from 1719 to zw
You cannot have both forwarders and a root zone, what I do is draw a
secondary from the ORSC root servers. Get your data from these DNS servers:
199.166.24.12
199.166.28.10
204.80.125.30
195.117.6.25
199.166.31.3
204.57.55.100
199.166.27.4
199.166.29.2
195.206.104.13
199.5.157.128
199.166.24.1
Any of these will allow a transfer of the root zone.

 

[Ace Fekay [MVP]]

It was a "mistake" MS assumed that we all want to use our DNS

server in a fotress (or an Island), so they automatically configure a
Win2K server to be a root server. In the root mode, the server
believes that it is the "end of the world" and any record it does not
currently have does not exist. So, in this mode, when the server
receives a query for www.sendasalami.com, it looks at itself (ONLY)
and goes, "hmmmm.. nothing here. Sorry. Don't exist". It never
attempts to ask the people who would really know about salamis and
other food stuffs (in this case, the REAL Root servers).

MS heard about this from many sources and they realized that there
aren't that not that many people have their own Island, so they fixed
it in Win2K3.

So, the long and short of the story: In Win2K DNS, you will see a "."
zone. Unless you really run this network in isolation from the rest
of the world and you, therefore, have no need to resolve external
records, ALWAYS delete this "." zone and move on.

Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
news:[email protected]...

Just want to add and point out that the Root zone will only get created by
DCPROMO if you opt to install DNS during the promotion process and only if
there is no Internet connectivity. If there is Internet connectivity, the
Root zone won't get created.

Cheers!

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[the confused]

I think I understand what you did there-you set up an
unadvertised secondary of a child zone that is on the
root servers of ORSC. The benifit would be faster
resolution for your clients locally, comaring to
configure a forwarder.

Then, do you need to set up all your own zones with any
special measures?

There probably be another option-setting it up as a stub
zone, available with Windows 2003 DNS. Forwarder or stub
zone would not give you the fast local resolution, but
will make the configuration much cleaner, and more
conventional.

thanks for providing the details...

 

[Deji Akomolafe]

At the risk of appearing to disagree with Kevin, let me say this: Forget the
"." zone. Forget you ever saw it. Forget that you had this discussion. You
don't NEED it, and with your understanding of DNS at this point (no
intention to "dis" you here, and I apologize if this sounds like it), you
should stay away from it. When you really need the "." zone, you will know
it.

--
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

 

[the confused]

For security reasons, more and more companies want their
internal and external name space to be separated, so
there are real needs to set uo "." zones for the internal
spaces.

-----Original Message-----
It was a "mistake" MS assumed that we all want to use our DNS server in a
fotress (or an Island), so they automatically configure a Win2K server to be
a root server. In the root mode, the server believes that it is the "end of
the world" and any record it does not currently have does not exist. So, in
this mode, when the server receives a query for

www.sendasalami.com, it

 

[Ace Fekay [MVP]]

I wouldn't say that's a requirement unless you want to block Internet access
or you are using Proxy or ISA.

Just deleting the Root zone is NOT a security measure on it's own.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================


For security reasons, more and more companies want their
internal and external name space to be separated, so
there are real needs to set uo "." zones for the internal
spaces.

-----Original Message-----
It was a "mistake" MS assumed that we all want to use our DNS server in a
fotress (or an Island), so they automatically configure a Win2K server to be
a root server. In the root mode, the server believes that it is the "end of
the world" and any record it does not currently have does not exist. So, in
this mode, when the server receives a query for

www.sendasalami.com, it

 

[Dave Baldridge]

Good morning,

The "." zone indicates that the DNS server is a root server meaning it is
the highest level of authority for the namespace for which it is
authoritative. When a server is configured with a "." zone, forwarding is
disabled. Please take a look at articles
http://support.microsoft.com/?id=260371,
http://support.microsoft.com/?id=291382 and
http://support.microsoft.com/?id=229840 for further information.

If you want to host a dns namespace which is not a root server, ie. you need
to use root hints or forwarders, just delete the "." zone.

The "." zone is created by default if DNS is installed on a server that is
not configured with DNS settings in its IP properties.

Thanks and have a great day.

Dave Baldridge MCSE 2000

MPS Protocols Support Professional

 

[the confused]

What I meant is to set up the internal and external
namespace, for obvious security reasons, there are needs
to set up "." zones for the internal name spaces. In this
case, yes, proxy is used.

Did anyone mentioned that deleting "." zone can be a
security measure? I haven't follwow all the threads
closely.

 

[Kevin D. Goodknecht [MVP]]

At the risk of appearing to disagree with Kevin, let me say this:

Forget the "." zone. Forget you ever saw it. Forget that you had this
discussion. You don't NEED it, and with your understanding of DNS at
this point (no intention to "dis" you here, and I apologize if this
sounds like it), you should stay away from it. When you really need
the "." zone, you will know it.

You need it if you wish NOT to use the ICANN root as I do.
I use the ORSC root which has many, many more supported TLDs, along with
support for the ICANN root.
This is an option I find useful so my mail servers can accept mail from the
alternate Root TLDs. If you use the ICANN root then a mail server that is
configured to lookup MX records of incoming mail domains cannot do MX
lookups for those domains.

If you wish to use the ICANN root then you don't need the delegated root
zone, because MS DNS out of the box uses the ICANN root to resolve external
names.

 

[Kevin D. Goodknecht [MVP]]

In

Good morning,

The "." zone indicates that the DNS server is a root server meaning
it is the highest level of authority for the namespace for which it is
authoritative. When a server is configured with a "." zone,
forwarding is disabled. Please take a look at articles
http://support.microsoft.com/?id=260371,
http://support.microsoft.com/?id=291382 and
http://support.microsoft.com/?id=229840 for further information.

If you want to host a dns namespace which is not a root server, ie.
you need to use root hints or forwarders, just delete the "." zone.

This is true ONLY if you wish to use the default ICANN Root.
The ICANN Root is not the only root on the internet, it is just the official
root of the United States Government.

 

[Ace Fekay [MVP]]

In

What I meant is to set up the internal and external
namespace, for obvious security reasons, there are needs
to set up "." zones for the internal name spaces. In this
case, yes, proxy is used.

Did anyone mentioned that deleting "." zone can be a
security measure? I haven't follwow all the threads
closely.

It's not a security measure. Rather it's just your control of what the
internal users can communicate with externally by name. As you said, you're
using Proxy, and assuming you are using just the Web caching service, then
the Root zone can remain since Proxy, assuming your Proxy is not using the
Internal DNS, can resolve outside names.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[the confused]

I think what Dave said basically is true for DNS in a
general sense.

If you want to host a dns namespace which is not a root

server, ie. you need
to use root hints or forwarders, just delete the "." zone.

here may not be precise, as that if it is a root server,
you cannot host a name space.

The "." zone is created by default if DNS is installed

on a server that is
not configured with DNS settings in its IP properties.

not sure, but seem not true if you set up a member server
as a DNS server, based on my recent experience.