On Jul 8, 2019, at 2:11 PM, Michael J. Sheldon <mshel...@godaddy.com> wrote: > I'm not authoritative for those. Any response I send for the parent > should be ignored completely. > And it still leaves the issue that I can't return a TTL without a > record, and I don't have a record to return it on.
In the case of a delegation, I think you respond as if the zone still exists. You are definitely authoritative for that zone—that’s what a delegation means. Responding with REFUSED doesn’t solve your problem, so doing that isn’t the right move. > But there's other reasons for REFUSED as well (security, ddos filtering, > etc) and I should have a means to add to the reply, "don't ask again for > X seconds” I don’t think there’s a way to do this that will work, because DNSSEC. If you don’t have the key for the zone, you can’t reply with a signed answer. This also makes my solution above fail. Of course, you can do it for un-signed zones, which are the majority, but if we want a real solution, it’s going to require some new work. And if it requires updating all recursive resolvers, you aren’t going to see any benefit from it this decade. And since your proposed solution doesn’t work with DNSSEC, it again doesn’t work this decade. I think if we really wanted a solution to this problem that was secure, we’d need an analog of the DS record, only for the resolver. This would have to exist at the delegation point, and would be owned by the server operator, not the domain owner. A response signed by the owner of the name would be taken to indicate that the delegation is no longer valid, and would result in deferred retries for the lifetime of the zone. Much handwaving, etc., but you’d need something like this in order to securely repudiate a delegation without having the ZSK or the KSK of the delegated zone.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
