On 11/14/16, 20:10, "Olafur Gudmundsson" wrote: >On Nov 14, 2016, at 5:01 PM, Ondřej Surý wrote: > >>Are they? What is child-NS needed for? > >That is what the NS set that the resolver should >use, the one in parent is just a hint. > >All good resolvers should use the Parent as hint >as to find the child one, once the resolver has >the child one toss the one from the parent. I know >this is one extra query which is almost free as >it can be done in parallel with the query for real >data.
Both NS sets are needed when the differ. There are a few states in which the two differ, that is when there are changes going on. Changes might be legitimate or results of abuse. When both sets agree, then of course only one is needed, but one does not know they agree until you have both. The importance of the child NS is to allow the child admin to bring on a name server before it has a chance to get the parent admin to update their zone. In some cases, a parent has a policy of only updating the NS set to the child set. The reasons include the parent avoiding starting a lame delegation and to make it easier to verify what the child admin intends to do. There's the conceptual driver, that once the parent delegates to the child, the child decides everything including what nameservers they use. This "works" up to the point of worrying about zone hijacking, yet another example of how "abuse of the network" wasn't considered in the original designs. So this driver is less relevant now than it used to be.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
