[dns-operations] any registries require DNSKEY not DS?

Paul Vixie paul at redbarn.org
Fri Apr 17 22:53:43 UTC 2020

On Friday, 17 April 2020 19:48:48 UTC Olafur Gudmundsson wrote:
> > On Jan 22, 2020, at 11:16 PM, Paul Vixie <paul at redbarn.org> wrote:
> > 
> > ...
> > 
> > historians please note: we should have put the DS RRset at $child._dnssec.
> > $parent, so that there was no exception to the rule whereby the delegation
> > point belongs to the child. this was an unforced error; we were just
> > careless. so, example._dnssec.com rather than example.com.
> Paul,
> If start talking about history and looking back with hindsight
> IMHO the second biggest mistake in DNS design was to have the same type in
> both parent and child zone If RFC1035 had specified DEL record in parent
> and NS in child or the other way around it would have been obvious to
> specify a range of records that were parent only (just like meta records) 
> thus all resolvers from the get go would have known that types in that
> range only reside at the parent. ……
> If we had the DEL record then that could also have provided the glue hints
> and no need for additional processing,
> You may recall that in 1995 when you and I were trying to formalize for
> DNSSEC what the the exact semantics of NS record were, then you and Paul
> Mockapetris came up with “Parent is authoritative for the existence of NS
> record, Child is authoritative for the contents”
> Just in case you are wondering what was the biggest mistake that is QR bit,
> recursion should have been on a different port than Authoritative.
> But this is all hindsight based on 30 years of coding and operational
> difficulties.
> Regards,
> Ólafur

other than that i think you meant the RD bit, and that you're reminding me 
(indirectly) of all the times i should have been smarter or more polite or 
both, i am +1 to your comments above.


More information about the dns-operations mailing list