On Wednesday, 15 April 2020 15:16:20 UTC John Levine wrote: > In article <[email protected]> you write: > >... > > > >so instead of example.com DS, it should have been example._dnssec.com DS. > > I take your point but I have a question and a half. > > The plan in this draft is that NS2 would eventually replace NS records.
if so there's a much larger set of changes we'd have to consider. for one thing NS2 should be slabbed (one record containing a compound rdata set); for another it would have to incorporate what DS does now (also as a slab). and it would move to be delegator-only, not present or relevant at the apex, and therefore signed in the parent. i have hesitated to bring any of this up in the years since 2003 when it all first came to light, because i thought it would take time and attention away from getting DNSSEC deployed. (naive?) > Hence a zone could have a zone cut at a name that has no NS > records, so the server has to do something like scan the zone when > loaded or updated for NS2 records at names like example._ns2.com and > remember that means that example.com is a zone cut. if this is meant to replace NS then it would have to be at the zone cut, and not a nephew-domain like DS should have been. so, i apparently misheard what was said on the dnsop webex about this, and didn't do my assigned reading before starting this thread. please accept my apologies. > Adding to the excitement, NS2 in its current kitchen-sink form > replaces both NS and DS, so the name at the zone cut would not exist > at all. The server would presumably have to synthesize an ENT there. > > Does that seems feasible? Sensible? this still doesn't feel like the right era to begin the DNSv2 effort. -- Paul _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
