John
On Tue, Jan 30, 2024 at 11:29 AM John Dickinson <[email protected]> wrote: > On 30/01/2024 16:21, Joe Abley wrote: > > On 30 Jan 2024, at 15:57, Roy Arends <[email protected]> wrote: > > >>> If an authority server is capable of loading a DELEG RRSet and > generating referral responses accordingly, it's surely also possible of > synthesising an unsigned NS set? > >> > >> I’m all in favour of synthesising NS/Glue records from DELEG, however, > this automation is a nice to have and its functionality should not be > required to implement in the draft. > > > > Yep, I'm suggesting otherwise, that perhaps it ought to be a hard > requirement to synthesise NS RRs when DELEG is present, and perhaps also > that it not be legal to include both NS and DELEG at the same owner name. > > I have a longer review in the works but just wanted to pick up on this. > > I can well imagine having DELEG RR's pointing to some DoX server that is > not the same server as the DoX unaware one the NS RR's point to for good > old DNS. The important thing is that you get the same final DNS records > whatever path leads you to them. This is why I think that DNSSEC should > be required. > > So in a SLD world I wonder if the parent and child having to be the same always works? I've had to work out odd issues with a delegated subdomain in a lab where the NS records have moved and they have no glue, etc. Sometimes, the parent wants to force behavior. Not in the TLD case, but I hope you get my line of thinking tim
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
