[DNSOP] Terminology: "primary master"

2017-11-23 Thread Havard Eidnes
Hi, draft 07 says: Primary master: "The primary master is named in the zone's SOA MNAME field and optionally by an NS RR". (Quoted from [RFC1996], Section 2.1). [RFC2136] defines "primary master" as "Master server at the root of the AXFR/IXFR dependency graph. The primary

Re: [DNSOP] Error handling in CAA

2017-11-23 Thread Tony Finch
Viktor Dukhovni wrote: > A private sub-domain should return NXDomain on the public side of > the Internet, Maybe. That (mostly) requires that DNS servers support views. Obviously in practice, private zones and views are often used together, but DNS purists have also argued that that you don

Re: [DNSOP] Terminology: "primary master"

2017-11-23 Thread Matthew Pounsett
On 23 November 2017 at 06:19, Havard Eidnes wrote: > Hi, > > draft 07 says: > >Primary master: "The primary master is named in the zone's SOA MNAME > field and optionally by an NS RR". (Quoted from [RFC1996], > Section 2.1). [RFC2136] defines "primary master" as "Master >

Re: [DNSOP] Terminology: "primary master"

2017-11-23 Thread Petr Špaček
On 23.11.2017 15:00, Matthew Pounsett wrote: > On 23 November 2017 at 06:19, Havard Eidnes > wrote: > > Hi, > > draft 07 says: > >    Primary master:  "The primary master is named in the zone's SOA MNAME >       field and optionally by an NS RR".  (Quoted

Re: [DNSOP] Clarifying referrals (#35)

2017-11-23 Thread Stephane Bortzmeyer
On Tue, Nov 14, 2017 at 09:04:36PM -0500, Dave Lawrence wrote a message of 17 lines which said: > I'd be surprised to see REFUSED from a resolver. % dig +norec @9.9.9.9 A www.afnic.fr ; <<>> DiG 9.10.3-P4-Debian <<>> +norec @9.9.9.9 A www.afnic.fr ; (1 server found) ;; global options: +cmd ;;

Re: [DNSOP] Terminology: "primary master"

2017-11-23 Thread Joe Abley
On Nov 23, 2017, at 06:19, Havard Eidnes wrote: > Secondly: can someone please explain to me why the idea of a > "primary master" where the zone data originates from and where > updates are performed is considered archaic? I think the only in-protocol use of the MNAME field is to specify the nam

Re: [DNSOP] Terminology: "primary master"

2017-11-23 Thread Havard Eidnes
>> Secondly: can someone please explain to me why the idea of a >> "primary master" where the zone data originates from and where >> updates are performed is considered archaic? > > I think the only in-protocol use of the MNAME field is to > specify the name to which UPDATE messages are sent. Rea

Re: [DNSOP] Terminology: "primary master"

2017-11-23 Thread Joe Abley
Hi Håvard, On Nov 23, 2017, at 11:36, Havard Eidnes wrote: >>> Secondly: can someone please explain to me why the idea of a >>> "primary master" where the zone data originates from and where >>> updates are performed is considered archaic? >> >> I think the only in-protocol use of the MNAME fie

Re: [DNSOP] Terminology: "primary master"

2017-11-23 Thread Tony Finch
Joe Abley wrote: > > In that sense the idea of using a single master (which I think is > implied by "primary master" and a name published in a single MNAME > field) is defensibly archaic. It's quite difficult to have multiple masters and DNSSEC and coherent copies of the zone from all masters - i

Re: [DNSOP] Terminology: "primary master"

2017-11-23 Thread Paul Vixie
Joe Abley wrote: On Nov 23, 2017, at 06:19, Havard Eidnes wrote: ... While a single slave sending zone transfer requests to a single master is still a valid example of such a graph, I think it's more a degenerate case than the usual case today. In that sense the idea of using a single master (

Re: [DNSOP] Terminology: "primary master"

2017-11-23 Thread Joe Abley
On Nov 23, 2017, at 12:44, Tony Finch wrote: Joe Abley wrote: In that sense the idea of using a single master (which I think is implied by "primary master" and a name published in a single MNAME field) is defensibly archaic. It's quite difficult to have multiple masters and DNSSEC and coh

Re: [DNSOP] Terminology: "primary master"

2017-11-23 Thread Paul Vixie
Joe Abley wrote: ... Feeding a large array of slaves (eg hundreds, including individual members if clusters) with large numbers of zones from a single master doesn't scale very well. when i had to do this i fed 100 from one or two, where the two were HA using non-DNS tech such as NFS or sql

Re: [DNSOP] DNSOP Digest, Vol 132, Issue 45

2017-11-23 Thread Viktor Dukhovni
> On Nov 23, 2017, at 11:13 AM, dnsop-requ...@ietf.org wrote: > > Even so, I know that at least one CA has received enough complaints from > customers with REFUSED private domains that they have already updated > their implementation to permit certificates in unresolvable zones that > lack DNSSE