[dns-operations] go daddy refuses to register NS not otherwise associated with go daddy controlled domains

[Florian Weimer]

* Joe Abley:

> This is not very easy to explain, even to people who are
> technologists, so it seems slightly unfair to apportion all the
> blame for the situation on any particular registrar (particularly
> one whose business model is all about hiding complicated details and
> making things easy for non-technical customers).

Isn't it actually pretty simple?

With the old, pre-DNSSEC ATLAS implementation and the prevalent
recursor behavior, these checks were necessary so that you couldn't
take over subdomains of your choice.  I wouldn't rule out that they
still serve a similar purpose today.

Better checks are not possible because the registrar doesn't know if
domain1.example and domain2.example really belong to the same entity
(so that it is kosher to add glue for ns3.domain2.example along with
domain1.example), even when they are maintained from the same account.
It could be a reseller who represent multiple, unrelated customers.