On Thu, Apr 2, 2020 at 5:10 PM Brian Somers <[email protected]> wrote:
> FWIW, OpenDNS/Umbrella/Cisco will use the glue to look things > up and won’t explicitly ask the authority for its own NS record. > > However, if we’re asked for an NS record by a client, we’ll lookup > & return the authoritative answer and that answer will trump the glue. > We’ll never serve glue to a client. > > One of the problems with caching NS records is that you’ve got to be > careful that you don’t let them keep re-asserting their own presence > in the cache (by repeating their RRset in the AUTH section every time > you talk to them). We do *force* their eventual TTL decay, but > for frequently queried domains, the original glue TTL is *not* honoured > due to the authoritative RRset trumping it! > Folks may be interested in this proposal, Paul Vixie, Ralph Dolmans, and I have been working on, to cause resolvers to deterministically prefer the child NS set, while avoiding the problem you mention in the last paragraph: https://tools.ietf.org/html/draft-huque-dnsop-ns-revalidation-01 I realize some implementers (Petr Spacek?) do not agree, but on balance we think this is what resolvers should do. Shumon Huque.
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
