John Levine <jo...@taugh.com> wrote: > That is, the two zones have the same apex, and NS records point into > the interior of the second zone, not at the apex. That works in BIND, > of course, but it seems wrong.
Well, it kind-of works, but it's brittle. * If a client queries for the NS records, the authoritative NODATA from the child zone will override the delegation NS records (according to RFC 2181 trust ranking) which will break future resolution attempts. * Negative responses from the child zone will have the wrong SOA, causing SERVFAIL in the resolver's RFC 2308 response disambiguator. * DNSSEC will not work at all. (Any other issues I've forgotten?) Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Lyme Regis to Lands End including the Isles of Scilly: East or southeast 3 or 4, occasionally 5 at first. Slight or moderate, occasionally smooth in Lyme Bay. Showers later. Good. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
