Ohta-san,
On 7 Feb 2019, at 18:28, Masataka Ohta <[email protected]> wrote:
> Petr Spacek wrote:
>
>> 5. At least one NS RR must be present at the top of the zone.
>
> At least two.
With respect, I think the protocol requirement is at least one, not at least
two.
I think best current practice is to avoid single-points of failure with the set
of servers used to provide authoritative answers, and I agree that in many
cases this is codified in user interfaces and registry policy as requiring two
NS RRs. However, there is no shortage of such multiple RRs that refer to a
single subnet or even a single instance of a nameserver process (so "at least
two" is sometimes insufficient), and its perfectly possible to use anycast or
both A and AAAA RRs attached to a single nameserver name that provide useful
much more useful diversity than those degenerate two-NS implementations (so
"just one" could in some circumstances be adequate).
RFC 7108 describes the implementation of a method that includes a single
point-of-failure by design (see discussion of IDENTITY.L.ROOT-SERVERS.
<http://identity.l.root-servers.org/>ORG in section 5).
In short, this is an operational question with multiple answers and I don't
like the idea of formalising an over-simplistic restriction in the protocol
specification.
Joe
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
