Tim Wicinski <[email protected]> writes: > This starts a Call for Adoption for draft-thomassen-dnsop-cds-consistency
I think this is important work and needs to get processed by DNSOP, and as such I support this document as the starting point for the work and encourage its adoption. Having said that, I'm not entirely sure that its exact concepts at the moment are what should be published in the long run (more below). For lame delegations, I think discussion is needed further. It's unclear from the draft at the moment (and I think it needs to be very clear) about what to do with servers that are lame. It discusses whether or not CDS/CDNSKEY/CSYNC are supposed to do when the server is unresponsive, but not with respect to other errors or situations and I think some clarity would be helpful here. I think it's important that we deal with the multi-signer case, and that point is very clear (and correct). But we also do need to be able, as a child, to update a parent's records when a nameserver has gone offline or stopped responding appropriately. This is very different than one NS taking over -- IE, I agree that this is the principle thing to defend against. But we also need to be able to efficiently recover from operational situations. Nits as long as I was reading it with a red pen: - Introduction: CSYNC updates both NS *and glue* records - Lame delegations: "on the other hand, if the delegation is not protected by DNSSEC," -- I don't understand this because all three record types require DNSSEC to be in place and valid for any of the records to work. No changes should ever be permitted without both present and valid signatures. Maybe I'm misunderstanding the paragraph though. - Section 3 is likely where service failure / error conditions need to be discussed more fully (IMHO). - 3.2 CSYNC: There are a few things to check here and all the servers should be consistent with all the records for changes to be made: the CSYNC record itself, the NS records and the glue records. (or since CSYNC is generic: the CSYNC record and any records it is referring to). IE, the CSYNC records could be equal but the NS records need to be checked for equivalence at each server too. -- Wes Hardaker USC/ISI _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
