On 04. 06. 21 18:56, Paul Vixie wrote:
On Fri, Jun 04, 2021 at 12:22:10PM -0400, Anthony Lieuallen via dns-operations
wrote:
This is a question of being parent- vs. child- centric. The parents in the
DNS tree delegate correctly. The fact that the children delegate
incorrectly can be a small or non-issue depending on resolver.
those NS RRs are authoritative at the apex of the child, but not at the leaf of
the parent. this means they have higher credibility, and also that they can be
DNSSEC signed and validated. credibility and validity _matter_.
Google Public DNS uses only parent delegations (
https://developers.devsite.corp.google.com/speed/public-dns/docs/troubleshooting/domains#delegation
). Largely for issues like this: the child delegations can be wrong, but
for the domain to work at all, the parent delegations must be correct.
without broad and deep failure, the quality of apex NS names will never improve.
(Resolvers that choose to use child delegations will likely in this case
discover that these delegations are bogus, and be left with only the valid
delegations, from the parent.)
at which point they should return SERVFAIL. failure _matters_.
Personally, with all the experience we have in 2021, I find the historic
decision to put authoritative NS RRs to the child side to be a poor
choice, to the point of being indefensible.
As Anthony points out, the parent version of NS has to work anyway. It
forces me to think a better course of action would be ignoring
child-side NS instead of adding complex asynchronous code paths to
validate child NS, which is not technically needed.
I mean - why waste resources on improving something which is not even
needed?
(To be clear: This is my personal opinion, and I'm sure some of my
colleagues at ISC will disagree violently.)
--
Petr Špaček
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
