On 3/18/25 11:41, Shumon Huque wrote:
We remove the faulty DNS operator from the NS RRset both at the delegator
and the child zone.
But even if you just removed it from the child zone NS RRset,
ns-revalidation requires the resolver to re-query the NS RRset at the child
zone apex immediately after (re-)following the referral from the parent, and
replace the higher credibility (authoritative) data in cache.
Follow-up: I guess only updating the NS RRset in the child zone can still cause
some queries to go to the faulty operator - you are right about that. So, you
have to do it both at the delegation and child zone. Which is what we do.
Excellent, that's what I'd thought. I'm just not getting which difference NS
revalidation then makes in this situation (as you brought it up as an
operational benefit upthread).
Cheers,
Peter
--
https://desec.io/
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
