On Feb 28, 2013, at 7:03 AM, Edward Lewis <[email protected]> wrote:
> On Feb 27, 2013, at 21:50, Roy Arends wrote: > > >> When a parent and child zone are served from the same server set, like co.uk >> and uk, you could have _in_theory_ DS records without NS records in the >> parent zone. A resolver would never observe the delegation point NS record. >> A validating resolver would need to explicitly ask for the DS record. If the >> DS record is present, the DS plus signatures will be returned. However, >> absence of the DS record is problematic, as there is no NSEC(3) record >> indicating presence of NS, absence of SOA+DS. > > Roy, that idea bothers me. > > It's true, if all of the name servers for the parent are all of the name > servers for a child, the NS set is not necessary. But claiming then you > could have DS records means the same name would have to own DNSKEY records > (for the DS to reference) and then an SOA to allow the owner to appear in the > RRSIG's signer name field. The DS record, in the parent zone, refers to the DNSKEY in the child zone. The RRSIG over the DS record contains a signer name of the DNSKEY of the parent. Both SOA's at child and parent do exist. > Sure you don't need the NS, but you need everything else that makes a zone > cut. But wait, there's more. The NSEC/NSEC3 record really ought to indicate > that there's a delegation there and for that the NS bit has to be turned on - > so there's a need for an NS. When parent and child are served from the same set, what does a resolver need to ask in order to see the parent side NSEC/NSEC3 record that proves presence or absence of the NS. IMHO, it won't be able to form a request so that the authoritative server would return the NSEC[3] that shows that there really was a zone cut (that is, served from the parent zone). > >> I think you'd need to implement these specifics though, as current >> authoritative servers and signers might throw an error when observing a DS >> without NS, but I haven't checked. > > Without specifically saying what error would be thrown (and when, on zone > load?), current servers should have issues with a name owning a DS and no NS. I think we're in complete agreement. Mixing a gun, a bullet and a foot in an unintended way will have unintended consequences, many of them not really desirable :-) Roy _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
