On Thu, Oct 27, 2016 at 4:58 PM, Patrik Wallström <pa...@blipp.com> wrote:
> Hi, > > I just wanted to tell you that we have published a new version of the I-D > draft-wallstrom-dnsop-dns-delegation-requirements. It fixes all the > comments that we have received so far, both on the mailing list and during > the meeting where it was last discussed: > https://tools.ietf.org/html/draft-wallstrom-dnsop-dns-delega > tion-requirements > > One thing that have bugged me was a comment to separate the meanings of > domain names and host names. Host names follow a much more strict set of > rules (they are all referenced in RFC 7719 under "host names") than domain > names that could pretty much contain anything that fit into the DNS > protocol. Right now we reference section 2.1 of RFC1123, but 7719 refers to > 3.1 of 1034. Not that much of a difference, but at least worth mentioning. > > In the document we try to follow the rules that if there is something that > is required from the DNS protocol perspective, it's a MUST. If there is > anything needed to have a properly configured DNS that is more of a > recommendation, it is a SHOULD. > > Please have a look. > > Thanks, > Patrik > > Thanks for working on this. Some comments... 2.2. The domain MUST have a parent domain "do not have a parent zone" -- 'do' -> 'does' 2.3. The domain MUST have at least one working name server "MUST be able to answer" -> "MUST answer" 4. Connectivity requirements -- remove "be able to" 5.1. Authoritative name servers SHOULD NOT be recursive "have very specific requirement on" should be either: singular: "have a very specific requirement on" or plural: "have very specific requirements on" 7.8. Glue records in delegation SHOULD exactly match records -- what about the ttl in the glue records? The TTL in the parent (TLD) zone is often very long (days), but much shorter (minutes) in the child zone. Same for the NS records. But I might be wrong on this point. 8.7. The name server MUST include RRSIG in all responses to DNSSEC queries "If the zone is signed, the name servers MUST be able to include RRSIG" -- remove "be able to" 8.8. The name servers MUST include valid NSEC/NSEC3 record in NXDOMAIN responses -- remove "be able to" 9.4. The NS names MUST NOT be an alias "CNAME" refers to the right side of a CNAME record (the canonical name), but this point is talking about the left side, so change "(CNAME)" to "(CNAME record)" please. 9.6. The SOA RNAME MUST be a legal hostname -- Is 'hostname' rules a new requirement in this RFC? -- does the 'username' part have to conform to hostname rules? Section 3.3 of [RFC1034] -- says domain name (not hostname) Section 2.2 of [RFC1912]. -- says to escape dots in username Section 2.3.1 of [RFC1035] -- says to 'prefer' ldh type rules for domain names and refers to RFC-822, where I had trouble finding specific rules Section 2.1 of [RFC1123]. -- modify hostname rules, allowing starting digit -- Bob Harold
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
