[dns-operations] EDNS and TLDs

Matthew Pounsett matt at conundrum.com
Thu Nov 17 04:37:40 UTC 2016

On 17 November 2016 at 13:30, Mark Andrews <marka at isc.org> wrote:

> >
> > Do you know how the patch is to be implemented?  If absence of the
> relevant
> > SRV record indicates fallback to MNAME then it doesn't solve the problem.
> SRV defines "." in the server field as "no service".
> e.g.
>         _dns-update._tcp.tld. SRV 0 0 0 .

Ah yes.. that works then.

> Note also the SOA MNAME is only supposed to be used if it matches
> a NS record name.  Updates are supposed to be able to go to any
> nameserver for the zone.

I can't lay my hands on a reference, and it's been a long time since I've
had to have this conversation with them, but I seem to recall that IANA
insists on a gTLD MNAME being one of the names in the NS set.  I may be
completely wrong about that and I invite someone who knows better to please
correct me.

> As far as I can see there was no RFC issued with this assignment.
> I would suggest doing a RFC2136bis which incorporates this along
> with SIG(0)/TSIG/GSS-TSIG as securing mechanisms.  RFC2137 is
> currently mentioned in the security considerations and is very much
> out of date.  SIG(0) and TSIG are forwardable though you have to
> preserve the ID field when forwarding SIG(0) signed updates.

It won't fix the current install base, but I'd happily co-author something
to this effect to help squelch the noise from future deployments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20161117/ea6b6af2/attachment.html>

More information about the dns-operations mailing list