On Fri, Apr 10, 2020 at 6:46 AM Shumon Huque <shu...@gmail.com> wrote:

> Hi folks,
>
> Paul Vixie, Ralph Dolmans, and I have submitted this I-D for
> consideration:
>
>    https://tools.ietf.org/html/draft-huque-dnsop-ns-revalidation-01
>
>
> Comments/discussion welcome.
>

There is one issue not addressed (here or anywhere else) that is
operationally relevant.

If a domain's delegation NS set includes name servers that no longer act as
authoritative servers for the zone, there is no adequate mechanism to
signal to the parent zone or to resolvers that this is a permanent
situation.

The delegation (re)validation might be a reasonable place to implement
something to detect this and adjust the choice of NS on the resolver's
cache.

(Part of the problem maybe be a "catch 22": the server receiving the query
isn't authoritative for the zone, so technically it can't/shouldn't return
anything authoritatively.)

This might also be viewed (correctly) as a corner case in the RRR model
that doesn't get addressed; it seems to happen most frequently if a
registrant changes registrars or if a domain lapses, where the previous
registrar also acted as DNS operator for the zone.

Thoughts? (Not sure if I did justice to the explanation; qv "lame
delegation".)

Brian
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to