On 1/30/24, 09:57, "DNSOP on behalf of Roy Arends" <[email protected] on behalf of [email protected]> wrote: > > On 30 Jan 2024, at 12:57, Joe Abley <[email protected]> wrote: > > > Related, what to do when the ipv4hints are not the same as the > corresponding A RRSet? > > IMHO, potential unsigned glue records from elsewhere are inferior to > address records in a signed DELEG record. If a validator supports DELEG, and > has information such as Nameserver names and name server addresses, it should > ignore glue and NS records.
The question of "what happens when two sources differ on information" is a good one. In "Clarifications to the DNS Specification" a trustworthiness scale is in the "Ranking data" section. (That's RFC 2181, section 5.4.1. for those that address via numbers.) Nevertheless, I've see aggressive resolvers rely on glue records when higher ranking data led to no response (query went out, no response within a set time out) or was inclusive (meaning no address resource record sets could be found). "Aggressive" meant that the resolver tried all tricks, protocol-following or not, to get an answer back to the requester. What I mean is - it would be good to give a crisp, specific prescription for this case, but history shows that implementers can be crafty. I don't know if that is better or worse for operations though. In operations it would be good if the events were predictable (meets expected behavior) but it is also good if we limit faults. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
