[dns-operations] Delegation checking (was: Re: Some DNSSEC trivia)
paul at vix.com
Thu Jan 10 15:17:35 UTC 2008
> > maybe we could add an option, defaulting to off, that would have a server
> > periodically walk the tree from the root to itself, checking for
> > above/below deltas across each delegation, and checking for lameness?
> Wouldn't such an option have to walk the entire namespace looking for
> delegations, and wouldn't such a walk require the ability to enumerate the
> contents of zones hosted elsewhere?
i must have misstated. i said "walk the tree from the root to itself" so
i mean that as the owner of vix.com i'd check that the root's delegation to
com matched(*) com's apex, and that com's delegation to vix.com matched(*)
vix.com's apex, and that every server answered authoritatively and that the
serial numbers were close(*). i do not mean look for all delegations
involving my server, just all the delegations that lead to my zones.
> (Or I could be misunderstanding what you're suggesting. The phrase "from the
> root to itself" confuses me, since "root" seems to be a namespace word, and
> "itself" seems to be a nameserver word).
here, "itself" means "my zones". sorry for the slop. two notes:
what "close" means, i don't know. maybe if it looks like a unix mtime, then
it has to be within one day, and if it's below a million, then it has to be
within a hundred, and if it's below ten thousand, it has to be within ten.
what "match" means, to me, is that the below-the-cut nameservers are a proper
superset of the above-the-cut nameservers, and that all the nameserver A/AAAA
rrsets exactly match each other. but the tool should have a knob, since my
definition of "match" might not be one-size-fits-all.
More information about the dns-operations