On Wed, Feb 27, 2013 at 11:03 PM, Edward Lewis <[email protected]> wrote:
> > On Feb 27, 2013, at 21:50, Roy Arends wrote: > > > When a parent and child zone are served from the same server set, like > co.uk and uk, you could have _in_theory_ DS records without NS records in > the parent zone. A resolver would never observe the delegation point NS > record. A validating resolver would need to explicitly ask for the DS > record. If the DS record is present, the DS plus signatures will be > returned. However, absence of the DS record is problematic, as there is no > NSEC(3) record indicating presence of NS, absence of SOA+DS. > > > Roy, that idea bothers me. > > It's true, if all of the name servers for the parent are all of the name > servers for a child, the NS set is not necessary. But claiming then you > could have DS records means the same name would have to own DNSKEY records > (for the DS to reference) and then an SOA to allow the owner to appear in > the RRSIG's signer name field. Sure you don't need the NS, but you need > everything else that makes a zone cut. But wait, there's more. The > NSEC/NSEC3 record really ought to indicate that there's a delegation there > and for that the NS bit has to be turned on - so there's a need for an NS. > > Couldn't agree more. If the NSEC record does not have the NS bit set, then the validators may not see it as insecure delegation and the result would be bogus. Sean > I think you'd need to implement these specifics though, as current > authoritative servers and signers might throw an error when observing a DS > without NS, but I haven't checked. > > > Without specifically saying what error would be thrown (and when, on zone > load?), current servers should have issues with a name owning a DS and no > NS. > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > -=-=-=- > Edward Lewis > NeuStar You can leave a voice message at > +1-571-434-5468 > > There are no answers - just tradeoffs, decisions, and responses. > > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop > > -- Sean
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
