On Feb 27, 2013, at 1:18 PM, Alexander Mayrhofer <[email protected]> wrote:
> Hi, > > We've been discussing internally whether or not including DS records into a > zone without respective NS record(s) makes any sense (assuming that there are > no other RRSETs for the respective label in the zone itself - pure > "delegation" scenario)... My personal assumption is that it does not, since > the DS record can never be used to verify the information in the > (unreachable) delegated zone? When a parent and child zone are served from the same server set, like co.uk and uk, you could have _in_theory_ DS records without NS records in the parent zone. A resolver would never observe the delegation point NS record. A validating resolver would need to explicitly ask for the DS record. If the DS record is present, the DS plus signatures will be returned. However, absence of the DS record is problematic, as there is no NSEC(3) record indicating presence of NS, absence of SOA+DS. I think you'd need to implement these specifics though, as current authoritative servers and signers might throw an error when observing a DS without NS, but I haven't checked. I wouldn't recommend it though, it might introduce corner cases. See RFC6840, section 4.1 as an example of what such a corner case might look like. Hope this helps, Roy Arends Nominet Research Fellow _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
