Tim Wicinski wrote:
> This is the beginning of the Working Group Last Call on Child To
> Parent Synchronization in DNS. The London update showed that this
> work is complete and ready to move forward.
The following paragraph:
Some resource records (RRs) in a parent zone are typically expected
to be in-sync with the source data in the child's zone. The most
common records, to date, that should match are the nameserver (NS)
records and any necessary associated address "glue" records (A and
AAAA). These records are referred to as "delegation records".
does not make much sense, because parent zone, today, is already
free to update glue by itself. That is, if multiple child zones
sharing an NS report different glues, the parent zone must check
the current most information.
The problem is a little more serious. That is, in case when a
child zone do not provide glue and another provide false glue,
the parent zone MUST always check and provide the current most
glue information.
Moreover, though the draft says:
Clients deploying
CSYNC MUST ensure their zones are signed, current and properly linked
to the parent zone with a DS record that points to an appropriate
DNSKEY of the child's zone.
it is more difficult than making referral NSes and glues up to date.
Though one may argue that DS inconsistency is more serious to cause
validation failures, which motivates child zone administrators
seriously maintain the consistency, inconsistencies of referral
NSes and glues may also be serious. Or, if they are not so serious,
it means there are no reason to synchronize only to waste operational
efforts for inessential no problems.
That is, the draft does not have much operational value, I'm
afraid.
Masataka Ohta
PS
I feel terminology of "agent" in the draft is annoying. "parent
zone" or "parent zone administrator" should be more consistent
with the terminology of rfc1034.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
