Mats Dufberg <[email protected]> writes:
> Parent is not authoritative of the NS in the delegation. The same with > any glue address records on or below the delegation point. The parent > does not sign non-authoritative records. The odd thing about this situation, as the above well states the history: the parent isn't authoritative for the NS and glue, but yet it still exists in their zone. So it's this hybrid case where they publish data, and seem authoritative to the DNS client asking for where to talk to the parent's child, but it's the client's fault if the parent is serving incorrect data (IE, the child/parent are out of (c)sync). The history basically says "we believe that there is only one authoritative source of this data", but the reality says "there may be only one source of authoritative data, but multiple publishers may distribute copies of it that may or may not be correct". In the end, there are two sources of authority: - who creates the records - who is distributing the records IMHO, it would be helpful if the distributors would stand by their statements of publication, even if they didn't actually create the records. I don't think signing the distributed records would change the behavior of whether or not clients cached them or whether clients believed who was authoritative (IE, I don't think resolvers are making caching decisions based on whether something was signed or not). -- Wes Hardaker USC/ISI _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
