>> There are three possible situations in which this might be >> considered a lame delegation: > > (4) What if NS.EXAMPLE.ORG does respond to EXAMPLE.NET queries > but claims that the correct name server is NS.EXAMPLE.COM? > > Does that make the delegation NS "lame" since resolvers > will generally ignore NS.EXAMPLE.ORG henceforth for > resolution of EXAMPLE.NET?
I'd say that first and foremost the delegation is inconsistent if the copy of the NS RRset in the delegating zone does not match the NS RRset from the authoritative name servers for the zone. Additionally, if ns.example.com is unresponsive for the zone in question or not set up to answer queries for the zone, you also have a "lame delegation". You end up pointing to a name server which will not respond as you expect. > (5) Same thing as above excepting with in-domain name > servers. If NET. says the name server for EXAMPLE.NET is > NS1.EXAMPLE.NET, but when you query NS1.EXAMPLE.NET it says > NS2.EXAMPLE.NET is authoritative. A name is a name, be it under in-addr.arpa or under .net, so I think I would answer this the same as #4 above. > (6) The delegation and auth agree on the NS name, but disagree > on the IP addresses. Does that make the IP addresses > supplied as glue "lame"? That depends. What you first and foremost have is outdated glue, i.e. someone forgot to update the parent zone administrator with new information about the IP address for (presumed required) glue. Additionally, if the outdated glue points to a non-responsive name server or it runs a name server but is not configured to respond to the zone, you could argue that you have a lame delegation situation. This is a situation which could arise in a transition period when you want to move the DNS name service from one host to another, so it's not entirely theoretical, and you avoid a lame delegation situation by ensuring that both name servers respond as expected. > (7) Is there a differentiation between a "lame" delegation > which makes resolution impossible vs. one which makes it > more difficult vs. one which risks inconsistent answers? I would say "not really". Regards, - HÃ¥vard _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
