I think this draft is useful to improve the security of DNS delegation, which 
is a fundamental mechanism in DNS.

 

Besides domain ownership validation,  maybe  delegation consent is another 
issue worth considering.

 

Existing DNS allow any zone administrator to delegate their domain  names to 
any authoritative servers without the consent of the target operator. This 
unilateral delegation capability can be abused to direct large volumes of 
unnecessary queries toward third-party authoritative DNS providers, potentially 
leading to effects similar to NXNSAttack.

 

Although some resolver implementations mitigate this by limiting NS lookups, I 
wonder if it is also worth addressing this at protocol level.










-----原始邮件-----
发件人:"Erik Nygren" <[email protected]>
发送时间:2026-07-06 21:29:58 (星期一)
收件人: "Shumon Huque" <[email protected]>
抄送: "Peter Thomassen" <[email protected]>, "[email protected] WG" <[email protected]>, 
[email protected]
主题: [DNSOP] Re: Delegation verification


Following up on this, I've published a -00 of a separate draft covering this 
topic:


   
https://datatracker.ietf.org/doc/html/draft-nygren-dnsop-domain-delegation-validation-00


Best, Erik








On Sun, Jun 28, 2026 at 9:25 PM Shumon Huque <[email protected]> wrote:

On Thu, Jun 18, 2026 at 12:44 PM Erik Nygren <[email protected]> wrote:
I'll let other authors and the WG also speak to it, but a big reason to leave 
this out is that the current draft is intended to be a best current practice.


Yes, the BCP designation is the strongest argument to punt this new proposal to 
a separate draft and I'm persuaded by it.


Shumon.

_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to