On 30/01/2024 16:21, Joe Abley wrote:
On 30 Jan 2024, at 15:57, Roy Arends <r...@dnss.ec> wrote:
If an authority server is capable of loading a DELEG RRSet and generating
referral responses accordingly, it's surely also possible of synthesising an
unsigned NS set?
I’m all in favour of synthesising NS/Glue records from DELEG, however, this
automation is a nice to have and its functionality should not be required to
implement in the draft.
Yep, I'm suggesting otherwise, that perhaps it ought to be a hard requirement
to synthesise NS RRs when DELEG is present, and perhaps also that it not be
legal to include both NS and DELEG at the same owner name.
I have a longer review in the works but just wanted to pick up on this.
I can well imagine having DELEG RR's pointing to some DoX server that is
not the same server as the DoX unaware one the NS RR's point to for good
old DNS. The important thing is that you get the same final DNS records
whatever path leads you to them. This is why I think that DNSSEC should
be required.
John
--
John Dickinson Sinodun Internet Technologies Ltd.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
