On Wednesday, November 30th, 2022 at 01:46, Mark Andrews <[email protected]> wrote:
> > On 30 Nov 2022, at 00:07, Joe Abley [email protected] wrote: > > > One question occurs to me after reading your draft: you > > suggest in a couple of places that it's easy for a > > nameserver that is authoritative for a child zone to know > > the name of the parent zone. How? > > Remove the left most label and query for the SOA record. [etc] More generally, I think it's true that a parent knows about it's child but a child is generally ignorant of its parents, of which there might be zero or more. Sending queries to discover your lineage gives you answers that work in the namespace your queries allow you to discover, but they might not work in others. Maybe that's ok or maybe that's worth thinking about. NOTIFY messages would surely leak from isolated (e.g. internal-use, enterprise) namespaces, like leaking UPDATE messages from AD or queries sunk on AS112 servers. Servers certainly exist that serve referrals that are different depending on the client that is asking, for example; perhaps that's worth thinking about. Sending a signal that the parent should investigate the child is nice because it limits the range of unpleasant consequences that might result of the signal not being authentic or of the target not being the right one. The worst that can happen is that the signal doesn't arrive or that the recipient is too busy to deal with it. In this context sending something like an UPDATE seems less nice. How often do you send a NOTIFY, given that the action triggered (or not) is expected to be asynchronous? Should the draft say something about retrying? If widely deployed this mechanism has the potential to deliver a lot of traffic to a small number of targets (e.g. if this was supprted by a zone with lots of children like COM). Retries would amplify the traffic volume. Joe _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
