Ns, above and below, was easy to handle even in dnssec, since it was always
part of the delegation and was only signed in the child. Making any other
rrtype above and below would be much harder since it would not automatically be
exposed on every referral.
The boo boo was putting ds at the delegation point. Had we put it at
_ds._dnssec.$delegationpoint then it would have an unambiguous location in the
parent and could be queried via non dnssec aware middle boxes. Which would make
stub validation a lot more practical. Oh well.
Paul
Edward Lewis <[email protected]> wrote:
>
>On Apr 19, 2013, at 10:15, Joe Abley wrote:
>
>> Ah yes, also that. OK, I've thrown it in the bad idea bucket. :-)
>
>
>One of the regrets about DNS design is that we used NS above and below
>the zone cut. That complicated DNSSEC.
>
>We resisted the temptation to have KEY (later called DNSKEY) at both
>parent and child because of the issues. NSEC, yes, sigh, it was a
>headache but we scaled that mountain.
>
>So, "in the big book of boo-boos" (to quote Doc McStuffins), we should
>avoid having the same type appear above and below a cut. It pays to
>have a separate name - even if that alone is the difference (in the
>presentation format ;)).
>
>-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>Edward Lewis
>NeuStar You can leave a voice message at
>+1-571-434-5468
>
>There are no answers - just tradeoffs, decisions, and responses.
>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>DNSOP mailing list
>[email protected]
>https://www.ietf.org/mailman/listinfo/dnsop
--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
