On Feb 27, 2013, at 21:50, Roy Arends wrote:
> When a parent and child zone are served from the same server set, like co.uk > and uk, you could have _in_theory_ DS records without NS records in the > parent zone. A resolver would never observe the delegation point NS record. A > validating resolver would need to explicitly ask for the DS record. If the DS > record is present, the DS plus signatures will be returned. However, absence > of the DS record is problematic, as there is no NSEC(3) record indicating > presence of NS, absence of SOA+DS. Roy, that idea bothers me. It's true, if all of the name servers for the parent are all of the name servers for a child, the NS set is not necessary. But claiming then you could have DS records means the same name would have to own DNSKEY records (for the DS to reference) and then an SOA to allow the owner to appear in the RRSIG's signer name field. Sure you don't need the NS, but you need everything else that makes a zone cut. But wait, there's more. The NSEC/NSEC3 record really ought to indicate that there's a delegation there and for that the NS bit has to be turned on - so there's a need for an NS. > I think you'd need to implement these specifics though, as current > authoritative servers and signers might throw an error when observing a DS > without NS, but I haven't checked. Without specifically saying what error would be thrown (and when, on zone load?), current servers should have issues with a name owning a DS and no NS. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 There are no answers - just tradeoffs, decisions, and responses.
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
