Stephane Bortzmeyer wrote: > On Mon, Dec 05, 2016 at 01:44:29PM -0800, > David Conrad <[email protected]> wrote > a message of 53 lines which said: > > > It might be more helpful if you perhaps could explain why you're not > > convinced? > > 1) Glue is only for in-child nameservers. The majority of delegations > don't use glue. So, glue is only a part of the problem.
I can easily believe that most delegation NS RRsets don't directly require glue address records. But it stands to reason that all glueless delegations must ultimately rely on other delegations with address glue in order to be resolved. > 2) The proper behaviour is for the child NS TTL to be used because it > is authoritative. This is what resolvers like Unbound do. If all > resolvers don't do it, we should change that, instead of allowing to > change the TTL in the parent. Sure, Unbound implements the trustworthiness ranking in RFC 2181 ยง5.4.1, like other implementations, so for a given zone the apex NS RRset will overwrite the delegation NS RRset. But it doesn't go out of its way to fetch authoritative data from the child to replace cached glue address records. (Unless you turn on Unbound's "harden-referral-path" option.) > 2bis) Section 2.1 of draft-vixie-dnsext-resimprove seems the way to go > (with the provisions of its section 2.2, to avoid ghost domains.) If I understand the complaint in the blog post you linked, the other issue that they want to avoid (which isn't mentioned at all AFAICS) is avoiding any extra RTTs to fill in glue records from the child. But if you don't mind possible extra RTTs there is the obvious solution of providing customers with nameserver names whose address records are not also glue address records. -- Robert Edmonds _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
