[dns-operations] sibling glue

Tony Finch dot at dotat.at
Tue Jun 23 16:03:27 UTC 2015 

A question for those who know more about registry rules than me...

In the .example zone there can be five kinds of delegation NS record
(taking each record separately rather than the whole delegation NS RRset).
The requirements I am stating below are from the DNS point of view rather
than from the registry point of view.

glue-forbidden.example.		IN	NS	ns0.example.net.
;
; You must not provide glue when the name server host name is not a
; subdomain of the parent domain (.example in this case).

not-glue.example.		IN	NS	ns1.example.
;
; A child zone's name server host name can be in the authoritative data
; for the parent zone. This isn't glue.

glue-required.example.		IN	NS	ns2.glue-required.example.
;
; You must provide glue when a child zone has a name server whose host
; name is a subdomain of the child zone's apex.

; There are two cases where a child zone has a name server whose host name
; is a subdomain of a different sibling child zone of the same parent zone.

sibling-must-glue.example.	IN	NS	ns2.glue-required.example.
;
; The name server of this child zone can also be a name server of its
; sibling zone, in which case the sibling delegation must provide glue.

sibling-may-glue.example.	IN	NS	ns3.sibling.example.
;
; The name server of this child zone can be a subdomain of its sibling
; zone but not a name server for the sibling zone. Glue is optional in
; this case.


So, to a large extent, you can update a delegation knowing only data that
is in the child zone. (You might also need to know about descendent zones,
for cases like cam.ac.uk. IN NS dns0.cl.cam.ac.uk.)

But it gets tricky if the registry requires sibling glue, since that means
an update might need to know (or find out) quite a lot of contextual
information.

How common is it for registries to require glue for cases like
sibling-may-glue.example?

I suppose it makes sense from the registry point of view to require glue
for all names which are subdomains of the parent zone; that means a host
object can be attached to any domain object without having to worry if the
delegation might lack glue that it needs.

Also I get the vague impression that sibling delegations can cause
interesting problems wrt ownership of host objects.

For instance, is it normal for client A to be able to create host objects
under a domain owned by client B?

(These are edge cases which I can easily ignore, but they are annoyingly
awkward...)

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Dogger: Northwest 5 or 6, becoming variable 3 or 4 later. Moderate,
occasionally slight later. Fair. Good.

More information about the dns-operations mailing list