On 23 Jun 2015, at 13:03, Tony Finch wrote:
A question for those who know more about registry rules than me...
In the .example zone there can be five kinds of delegation NS record
(taking each record separately rather than the whole delegation NS
RRset).
I think there are probably as many answers to this as there are
registries, and one size definitely doesn't fit all, but let's assume
you're talking about the kind of EPP data model that grew out of the
RRP-accessible registries that were operated by Verisign, back in the
day (i.e. there are domain objects and host objects).
The requirements I am stating below are from the DNS point of view
rather
than from the registry point of view.
I think that's not going to help you get a clear answer, but let's give
it a try. People who actually know how registries work can correct all
the horrible mistakes I'm about to type. It has been a while. The EPP
spec might be worth reading.
glue-forbidden.example. IN NS ns0.example.net.
;
; You must not provide glue when the name server host name is not a
; subdomain of the parent domain (.example in this case).
The EPP data model includes host objects and domain objects. Every
domain is linked to one or more host objects (two or more in practice,
for policy reasons orthogonal to the data model).
In this case the domain object glue-forbidden.example would be linked to
a host object ns0.example.net. Since the host object's name is not
subordinate to the zone to be produced by the registry, it has no
addresses associated with it. Hence there is no possibility of producing
a zone from the registry that includes glue records.
not-glue.example. IN NS ns1.example.
;
; A child zone's name server host name can be in the authoritative
data
; for the parent zone. This isn't glue.
In this case the domain object not-glue.example is linked to the host
object ns1.example. Since the host object's name is subordinate to the
zone to be produced by the registry (it's named under example) the host
object must include one or more addresses. This means that the zone
produced from the registry can include a glue record alongside the
delegation.
Whether or not a glue record is actually included in the zone depends on
the algorithm by which the zone is produced from the registry. The most
simple algorithm is to include a delegation for every domain object and
glue records for every host object, but other algorithms that
distinguish between glue that is definitively required and glue that
might not be required are surely possible.
Of course, it's still possible to shoot yourself in the foot, e.g.
$ORIGIN COW.
DOMAIN IN NS A.DOMAIN.HORSE.
NS B.DOMAIN.HORSE.
$ORIGIN HORSE.
DOMAIN IN NS A.DOMAIN.COW.
NS B.DOMAIN.COW.
No glue is possible to include in either of the COW or HORSE zones (the
corresponding host objects have no address attributes) and hence none of
{A, B}.DOMAIN.{COW, HORSE} can ever be resolved unless the nameservers
for COW or HORSE are also authoritative for the DOMAIN.COW or
DOMAIN.HORSE zones.
glue-required.example. IN NS ns2.glue-required.example.
;
; You must provide glue when a child zone has a name server whose host
; name is a subdomain of the child zone's apex.
I don't think that condition is part of the EPP data model; the criteria
that matters here is that the host object's name is subordinate to the
name of the zone produced from the registry, which means that one or
more address records for the host are required.
; There are two cases where a child zone has a name server whose host
name
; is a subdomain of a different sibling child zone of the same parent
zone.
sibling-must-glue.example. IN NS ns2.glue-required.example.
Ditto.
; The name server of this child zone can also be a name server of its
; sibling zone, in which case the sibling delegation must provide
glue.
sibling-may-glue.example. IN NS ns3.sibling.example.
Ditto.
; The name server of this child zone can be a subdomain of its sibling
; zone but not a name server for the sibling zone. Glue is optional in
; this case.
The host object ns3.sibling.example requires one or more address
attributes. Whether or not glue records are published depends on the
zone publication algorithm, as above.
Joe
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
