I think this draft is useful to improve the security of DNS delegation, which is a fundamental mechanism in DNS.
Besides domain ownership validation, maybe delegation consent is another issue worth considering. Existing DNS allow any zone administrator to delegate their domain names to any authoritative servers without the consent of the target operator. This unilateral delegation capability can be abused to direct large volumes of unnecessary queries toward third-party authoritative DNS providers, potentially leading to effects similar to NXNSAttack. Although some resolver implementations mitigate this by limiting NS lookups, I wonder if it is also worth addressing this at protocol level. -----原始邮件----- 发件人:"Erik Nygren" <[email protected]> 发送时间:2026-07-06 21:29:58 (星期一) 收件人: "Shumon Huque" <[email protected]> 抄送: "Peter Thomassen" <[email protected]>, "[email protected] WG" <[email protected]>, [email protected] 主题: [DNSOP] Re: Delegation verification Following up on this, I've published a -00 of a separate draft covering this topic: https://datatracker.ietf.org/doc/html/draft-nygren-dnsop-domain-delegation-validation-00 Best, Erik On Sun, Jun 28, 2026 at 9:25 PM Shumon Huque <[email protected]> wrote: On Thu, Jun 18, 2026 at 12:44 PM Erik Nygren <[email protected]> wrote: I'll let other authors and the WG also speak to it, but a big reason to leave this out is that the current draft is intended to be a best current practice. Yes, the BCP designation is the strongest argument to punt this new proposal to a separate draft and I'm persuaded by it. Shumon.
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
