I had it said to me, that "lies" about the ns.bar.example are not a problem because if they can tell you a DNSSEC verified truth about the primary request, you don't care who told you.
That can only be truly not a concern, if the primary is DNSSEC verified. So, for the non-DNSSEC, it feels like a substantial problem. But then.. the only way out is to BE DNSSEC aware. There's not much choice. I'm not convinced this "glue doesn't have to be validated" thing is true, but the problem latent in this is the recursive time/compute cost of chasing all out-of-baliwick data, to verify its status in DNSSEC. Love to hear other people's POV on this. Maybe it is a false meme on my part? Maybe glue HAS to be checked and validated, no matter what? -G On Wed, Jul 28, 2021 at 2:16 PM John Levine <[email protected]> wrote: > > It appears that Paul Wouters <[email protected]> said: > >On Tue, 27 Jul 2021, John R Levine wrote: > > > >> Well, OK. How about this? > >> > >> foo.example NS ns.bar.example > >> ns.foo.example AAAA 2001:0DB8:0000:000b::1 > >> > >> bar.example NS ns.abc.example > >> ns.bar.example AAAA 2001:0DB8:0000:000b::2 > >> > >> abc.example NS ns.def.example > >> ns.abc.example AAAA 2001:0DB8:0000:000b::3 > >> > >> def.example NS ns.foo.example > >> ns.def.example AAAA 2001:0DB8:0000:000b::4 > >> > >> (I would have gone all the way to ns.xyz.example but it's tine for bed > >> here) > >> > >> We don't try to make NS loops work across zones, so I don't see the point > >> of > >> sorta kinda trying to make them work sometimes. > > > >You still mis thepoint. In the case of def.example needing > >ns.foo.example, the server can just check if it has glue for > >ns.foo.example. It does, so it returns it. It is not going to > >check whether or not this is a silly loop to .xyz.example or > >beyond. There is no point in knowing that. It has an NS record > >pointing to X. It has a glue record for X. So it includes the glue > >record X. > > OK, so I ask for foo.example and I get > > ; answer > foo.example NS ns.bar.example > ; additional > ns.bar.example AAAA 2001:0DB8:0000:000b::2 > > Does it check that's the right value for ns.bar.example? How about with > DNSSEC? I suppose > > I still don't see the benefit of trying to make some loops work when we know > that we > can't make cross-zone loops work. > > R's, > John > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
