(very very delayed reply, rebooting draft now...)

On 2016-03-17 at 22:45, John Kristoff wrote:

The introduction lists 8 areas of interest.  All, except "7. Name
Server" have their own section in the table of contents.  Oversight?

Yes, one section was missing. Fixed now.

This sentence is awfully confusing:

  Many requirements in this document deal with the properties of a
  nameserver that is used as part of a delegation, therefore the
  wording mentioning the use of a name server as part of this is

First there is nameserver, then name server as two words.  Which is
it? More importantly, I'm not quite sure what is being said here. Can
you perhaps rewrite, elaborate or provide an example?

Perhaps better? "Many requirements in this document deal with the properties of a
name server that is used as part of a delegation, therefore the wording
mentioning the use - authoritative or recursive - of a name server as part of
this is omitted."


You may be interested to know that I recently submitted a draft on DNS
over TCP operational requirements.  If that work progresses as I hope,
it might help with section 4.2 of your draft.

Reference added.


The consistency requirements might be too strict, since it applies all
zone data. While reasonable people might fret about inconsistency when
things like "views", "geo-location", client-subnet and so on are in
use, it might be best to limit consistency requirements to the
infrastructure records (e.g. SOA, NS).

Yes, I've added a reference to RFC 7871.


Additionally, I could imagine an argument being made that all names
need not respond with the same NS RRset.  While generally this
delegation or authority list inconsistency is often indication of a
problem, it is feasible that it might be intentional and may even
provide some advantage.  The so-called "fast flux" invention by the
miscreants taught us that.

Do you have any proposed text to address this?

Suggesting that name servers be the same AS is often unnecessary. More
important is diversity in the route announcements covering the name
server addresses.  Many might not even be able to easily satisfy this

Addressed in https://github.com/CENTRccTLDs/TRTF/commit/6a9e326208c0d1d650396850b2e654e1942c212c

A few additional topics you may wish to consider:

  * delegated name server should be authoritative only (no rd service)


  * ptr names of NS addresses should match the associated A/AAAA names

Why is that?

  * name server should run NTP or equivalent so time is accurate

This would be import if using TSIG, but how is it important form a delegation point of view?

  * DNS TTLs of the NS and A/AAAA name servers MUST be consistent

It makes sense to me, but we need to explain why.


(work in progress version at https://github.com/CENTRccTLDs/TRTF/blob/master/ietf/draft-wallstrom-dnsop-dns-delegation-requirements.md)

DNSOP mailing list

Reply via email to