On Tue, 2 May 2023, Peter Thomassen wrote:
This, so far, was my understanding of the definition that was given in the
other thread, and which Benno labeled (2) in the original post of this
thread:
"A lame delegation is said to exist when one or more authoritative
servers designated by the delegating NS RRset or by the child's apex
NS RRset answers non-authoritatively [or not at all] for a zone".
... without the "or not at all" part (so, an answer is required for
"lameness").
I don't think that is complete. If all the parental NS records point to
properly working nameservers, but the authoritative nameservers claim
an additional NS record, I would also call the delegation lame. Especially
if that additional nameserver specified in the authoritative NS RRset is
responding non-authoritatively. This might not be lame on the initial
queries, but if the resolver is child centric or validating, that broken
authoritative NS will end up getting queried and a lame answer would be
given.
Without asking to invent a term if none exists, I'd like to learn how to call
a delegation that points to an NS hostname that does not have an address
record (verifiably, e.g. denied by a DNSSEC negative response).
Before the discussion, I thought this qualifies as "lame" (because you can
tell from the response that there's no DNS service; it's not a timeout), but
with the above definition, it can't be called "lame".
How about:
"A lame delegation is said to exist when the NS RRset of a zone is
different at the parent and child nameservers, with the mismatched
authoritative servers either listed at the parent or child answering
non-authoritatively for that zone."
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
