(very very delayed reply, rebooting draft now...)

On 2016-03-17 at 22:45, John Kristoff wrote:

The introduction lists 8 areas of interest.  All, except "7. Name
Server" have their own section in the table of contents.  Oversight?

Yes, one section was missing. Fixed now.


This sentence is awfully confusing:

  Many requirements in this document deal with the properties of a
  nameserver that is used as part of a delegation, therefore the
  wording mentioning the use of a name server as part of this is
  omitted.

First there is nameserver, then name server as two words.  Which is
it? More importantly, I'm not quite sure what is being said here. Can
you perhaps rewrite, elaborate or provide an example?

Perhaps better? "Many requirements in this document deal with the properties of a
name server that is used as part of a delegation, therefore the wording
mentioning the use - authoritative or recursive - of a name server as part of
this is omitted."

https://github.com/CENTRccTLDs/TRTF/commit/e55fc859d89cbf0fea00d73343ae0774e1ce9b99
https://github.com/CENTRccTLDs/TRTF/commit/283f7590ffaf3e2c6376dcc7d656e18826126e2a


You may be interested to know that I recently submitted a draft on DNS
over TCP operational requirements.  If that work progresses as I hope,
it might help with section 4.2 of your draft.

Reference added.

https://github.com/CENTRccTLDs/TRTF/commit/283f7590ffaf3e2c6376dcc7d656e18826126e2a


The consistency requirements might be too strict, since it applies all
zone data. While reasonable people might fret about inconsistency when
things like "views", "geo-location", client-subnet and so on are in
use, it might be best to limit consistency requirements to the
infrastructure records (e.g. SOA, NS).

Yes, I've added a reference to RFC 7871.

https://github.com/CENTRccTLDs/TRTF/commit/ae734c8100c2274f16b2e2a01d18383a8cb27c17


Additionally, I could imagine an argument being made that all names
need not respond with the same NS RRset.  While generally this
delegation or authority list inconsistency is often indication of a
problem, it is feasible that it might be intentional and may even
provide some advantage.  The so-called "fast flux" invention by the
miscreants taught us that.

Do you have any proposed text to address this?


Suggesting that name servers be the same AS is often unnecessary. More
important is diversity in the route announcements covering the name
server addresses.  Many might not even be able to easily satisfy this
requirement.

Addressed in https://github.com/CENTRccTLDs/TRTF/commit/6a9e326208c0d1d650396850b2e654e1942c212c


A few additional topics you may wish to consider:

  * delegated name server should be authoritative only (no rd service)

https://github.com/CENTRccTLDs/TRTF/commit/05a992c2b06a410aca53b2a90f4681554fbb8b2f


  * ptr names of NS addresses should match the associated A/AAAA names

Why is that?


  * name server should run NTP or equivalent so time is accurate

This would be import if using TSIG, but how is it important form a delegation point of view?


  * DNS TTLs of the NS and A/AAAA name servers MUST be consistent

It makes sense to me, but we need to explain why.


        jakob


(work in progress version at https://github.com/CENTRccTLDs/TRTF/blob/master/ietf/draft-wallstrom-dnsop-dns-delegation-requirements.md)

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to