On Tue, 11 May 2021, Eric Rescorla wrote:
I'd like to make sure I understand your point. Is it simply that this information should be encoded in NS or DS? If so, I don't particularly object to that. I don't have a strong opinion about how this signal is spelled.
DS records and glue (NS,A,AAAA) are the only child records served by the parent. So .ca will publish (redundancy removed for readability): nohats.ca. 86400 IN NS ns0.nohats.ca. ns0.nohats.ca. 86400 IN A 193.110.157.102 ns0.nohats.ca. 86400 IN AAAA 2a03:6000:1004:1::102 nohats.ca. 21599 IN DS 1321 8 2 B7890A1E7B4CE1D671795D5FD46A71F229C58025587BEC4EEB70CCDA 9233011C nohats.ca. 21599 IN RRSIG DS 8 2 86400 20210516110615 20210509013859 43854 ca. <blob> If you define a new RRtype, say FOO, and .ca will add: nohats.ca. 86400 IN FOO <data> Then all DNS software will reject this record as out-of-zone data. It will just never serve this record until you made software modifications. That means changing all DNS authoritative servers on the planet. Then you also need to DNSSEC sign this record or treat is as glue. That behaviour/expectation has to be added to all DNS recursive/validating software on the planet. And then you need to update the mechanism how Registries and Registries update this FOO record in the parent zone. You won't be able to rely on these updated for many years to come. Paul _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
