On Feb 28, 2013, at 7:03 AM, Edward Lewis <[email protected]> wrote:

> On Feb 27, 2013, at 21:50, Roy Arends wrote:
> 
> 
>> When a parent and child zone are served from the same server set, like co.uk 
>> and uk, you could have _in_theory_ DS records without NS records in the 
>> parent zone. A resolver would never observe the delegation point NS record. 
>> A validating resolver would need to explicitly ask for the DS record. If the 
>> DS record is present, the DS plus signatures will be returned. However, 
>> absence of the DS record is problematic, as there is no NSEC(3) record 
>> indicating presence of NS, absence of SOA+DS. 
> 
> Roy, that idea bothers me.
> 
> It's true, if all of the name servers for the parent are all of the name 
> servers for a child, the NS set is not necessary.  But claiming then you 
> could have DS records means the same name would have to own DNSKEY records 
> (for the DS to reference) and then an SOA to allow the owner to appear in the 
> RRSIG's signer name field.

The DS record, in the parent zone, refers to the DNSKEY in the child zone. The 
RRSIG over the DS record contains a signer name of the DNSKEY of the parent. 
Both SOA's at child and parent do exist.

>  Sure you don't need the NS, but you need everything else that makes a zone 
> cut.  But wait, there's more.  The NSEC/NSEC3 record really ought to indicate 
> that there's a delegation there and for that the NS bit has to be turned on - 
> so there's a need for an NS.

When parent and child are served from the same set, what does a resolver need 
to ask in order to see the parent side NSEC/NSEC3 record that proves presence 
or absence of the NS. IMHO, it won't be able to form a request so that the 
authoritative server would return the NSEC[3] that shows that there really was 
a zone cut (that is, served from the parent zone).

> 
>> I think you'd need to implement these specifics though, as current 
>> authoritative servers and signers might throw an error when observing a DS 
>> without NS, but I haven't checked.
> 
> Without specifically saying what error would be thrown (and when, on zone 
> load?), current servers should have issues with a name owning a DS and no NS.

I think we're in complete agreement. Mixing a gun, a bullet and a foot in an 
unintended way will have unintended consequences, many of them not really 
desirable :-)

Roy
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to