Parent is authoritative for the existence of the delegation Child is authoritative for the contents of the delegation
DNS design did not take this into account thus there is no "range" of Parent only records, DS is the only record that is explicitly a "violation" of this IMHO RFC103x should have defined a DEL record in parent and NS in the child then resolvers could have kept both sides. Olafur On Tue, Jul 26, 2022 at 9:22 AM Petr Špaček <[email protected]> wrote: > On 28. 06. 22 16:20, Bob Harold wrote: > > But the parent NS set is not covered by DNSSEC, and thus could be > spoofed?? > > (Wish we could fix that!) > > I share your wish. > > Does anyone else want to contribute? > > Can people here share their memories of why it is not signed? I wasn't > doing DNS when this was designed and I think it would be good to > understand the motivation before we start proposing crazy things. > > Thank you for your time. > > -- > Petr Špaček > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop >
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
