Bob, ----- Original Message ----- > From: "Bob Harold" <rharo...@umich.edu> > To: "fujiwara" <fujiw...@jprs.co.jp> > Cc: "Ondřej Surý" <ondrej.s...@nic.cz>, "dnsop" <dnsop@ietf.org> > Sent: Thursday, 10 November, 2016 19:23:07 > Subject: Re: [DNSOP] draft-fujiwara-dnsop-resolver-update-00
> There seems to be an assumption in this draft that the parent NS records > are always correct, but I would argue that this is not the case. Nope, I don't think this is an assumption of this draft or an assumption of DNS status quo in general. > If all of the NS records in the child point to servers that fail to answer > for that zone, the zone breaks. > But the same happens if all the NS records in the parent point to servers > that fail to answer for that zone. > > DNS treats parent NS records similarly to the root hints - as long as one > of them points to a working child server, it can get a list of the current > (true) list of NS records (from the child zone). The child zone is the > authority for the NS records, not the parent zone. What you have just described is an end-user (human) perception of how the humans think the DNS operates. The recursive DNS doesn't really care about parent vs child distinction if it has at least one working path. In the contrary, always sticking to child NS records and disregarding the changes in the parent might lead to "ghost domains" vulnerability. Cheers, -- Ondřej Surý -- Technical Fellow -------------------------------------------- CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC Milesovska 5, 130 00 Praha 3, Czech Republic mailto:ondrej.s...@nic.cz https://nic.cz/ -------------------------------------------- _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
