DNS friends,
On 14/04/2020 17.43, Paul Vixie wrote:
today it was proposed that NS2 be added as a new record-set type that
could exist in either the parent or the child, similar to NS, and
reminding several of us about the DS debacle.
DS should never have been placed at the delegation point, and has led to
a decade or longer of bugs and corner cases and complexity. it ought to
have been a nephew domain of the delegation point, but, in the parent:
so instead of example.com DS, it should have been example._dnssec.com DS.
this is the approach i suggest for anything like NS2.
I think this makes abundant sense.
Some information about delegation clearly belongs in the parent, and
only in the parent.
NS in the child-but-also the parent was clearly a bit of a bad design.
DS in the parent-but-kind-of-also-the-child (via DNSKEY records) was an
attempted step in the right direction, but clearly also a bit of a bad
design. Paul's proposal (or a similar one) seems like a really good
approach to me.
We can include something like CDS/CDNSKEY from the very beginning as
well, as an in-band signaling for parent/child synchronization.
Cheers,
--
Shane
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
