On Mon, May 04, 2015 at 09:11:28AM +0200, Stephane Bortzmeyer wrote: > agency) recommends to prefer delegations with glue because glueless > delegations "may carry additional risks since they create a > dependency". Is there any other "best practices" text which makes such > a recommendation? > > http://www.ssi.gouv.fr/entreprise/guide/bonnes-pratiques-pour-lacquisition-et-lexploitation-de-noms-de-domaine/ > (in french only)
After the re-discovery of AXFR "vulnerabilities" this is another old news. There have been various research papers about "transitive trust" and suggestions about "in bailiwick glue", which mostly view the system starting from an empty cache. The recommendation as such neglects the practicalities of maintaining the glue RRSets in the parent zone. So, from the perspective of a registry, I'd be a bit unhappy. More importantly, while DNSSEC is mentioned in the paper, I do not see, maybe due to lack of language skills , DNSSEC being recommended as explicitly as "delegations with glue". There are other recommendations that have turned out to be not free of controversy in the past, like recommendation 9 on TTLs, not distinguishing infrastructure and "leave" data as well as recommendation 14 on the RRL slip value. Getting these recommendations straight is not an easy task. Balancing between different target audiences and breadth and depth of the advice versus available space almost always makes it a matter of compromise and I'm sure the next version might benefit from feedback by the community. -Peter _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
