[dns-operations] Delegation checking (was: Re: Some DNSSEC trivia)

Paul Vixie paul at vix.com
Thu Jan 10 15:17:35 UTC 2008

> > maybe we could add an option, defaulting to off, that would have a server
> > periodically walk the tree from the root to itself, checking for
> > above/below deltas across each delegation, and checking for lameness?
> Wouldn't such an option have to walk the entire namespace looking for
> delegations, and wouldn't such a walk require the ability to enumerate the
> contents of zones hosted elsewhere?

i must have misstated.  i said "walk the tree from the root to itself" so
i mean that as the owner of vix.com i'd check that the root's delegation to
com matched(*) com's apex, and that com's delegation to vix.com matched(*)
vix.com's apex, and that every server answered authoritatively and that the
serial numbers were close(*).  i do not mean look for all delegations
involving my server, just all the delegations that lead to my zones.

> (Or I could be misunderstanding what you're suggesting. The phrase "from the
> root to itself" confuses me, since "root" seems to be a namespace word, and
> "itself" seems to be a nameserver word).

here, "itself" means "my zones".  sorry for the slop.  two notes:

what "close" means, i don't know.  maybe if it looks like a unix mtime, then
it has to be within one day, and if it's below a million, then it has to be
within a hundred, and if it's below ten thousand, it has to be within ten.

what "match" means, to me, is that the below-the-cut nameservers are a proper
superset of the above-the-cut nameservers, and that all the nameserver A/AAAA
rrsets exactly match each other.  but the tool should have a knob, since my
definition of "match" might not be one-size-fits-all.

More information about the dns-operations mailing list