Paul Hoffman wrote: > Further, I disagree with this being about "deeming". There is a > simple rule (the owner name is a subzone of the answer), whereas > "deeming" indicates that there might be other logic that is not > given here.
Bailiwick checking is not checking that the owner name is a "subzone of the answer", it is checking that the owner name is a subdomain of the domain whose servers are being queried. Suppose we are resolving www.example.com and the "best servers to ask" (in the algorithm of RFC1034 5.3.3, step 2) are the .com servers. If one of them responds with "example.com NS ns1.foo.com" and a glue record with ns1.foo.com as its owner name, this glue record is in-bailiwick because it is a subdomain of .com, the domain whose server is being queried, even though it is not a "subzone of the answer", which I would interpret as "a subdomain of example.com" rather than "a subdomain of com". I believe this is also what RFC 5452 means by "One very simple way to achieve this is to only accept data if it is part of the domain for which the query was intended". This is not limited to glue; the same issues arise with records in the additional section and with CNAME chains. -- Andreas Gustafsson, [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
