On 6 November 2012 13:52, Mark Jeftovic <[email protected]> wrote: > > > On 12-11-06 7:33 AM, Danny McPherson wrote: >> >> On Nov 6, 2012, at 4:40 AM, Feng He wrote: >> >>> 于 2012-11-6 17:08, Steven Carr 写道: >>>> They all expect you to use their own custom DNS management tools for >>>> managing the domain and expect that you only have it hosted with them, >>>> I'm not even sure some of the providers would allow you to create >>>> additional NS records so yes there could be problems in that the glue >>>> would not match the NS returned by one of the providers, so it would >>>> appear that some of the NS are stealth. >>> >>> That's great point. I totally agree with it. >> >> Or, if they're not in-baliwick it may require additional queries to prime >> things on recursive servers. >> >> DNSSEC of course addresses object-level security issues with authoritative >> servers. >> > > What kind of problems would occur from the glue not matching the NS records?
Nothing compared to what I assume would happen if these providers started supporting DNSSEC as primary-only in the same way they are doing here. Different sets of servers each doing their own DNSSEC signing with different keys and not publishing each others keys along side them - I don't see that working too well. NS mismatches just mean that a resolver might not "see" all the possible servers and how queries get load balanced between them might be non-obvious, but as long as the rest of the data is consistent (this is the main problem!) it shouldn't cause any issues during normal operation. If a resolver has a smaller cached NS set (for example only the 2 cloudflare ones) and all of those servers are down it might go back to the parent and find the other servers that are still up. The "might" is the issue with this setup. Will it automatically break stuff? no, but when something does break it'll make it a lot harder to find out what. - Mike _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
