[dns-operations] OpenDNS, Google, Nominet - New delegation update failure mode

Paul Vixie paul at redbarn.org
Tue Nov 17 07:56:19 UTC 2020


On Mon, Nov 16, 2020 at 04:09:45PM -0800, Doug Barton wrote:
> Puneet, or anyone else at Google, are there publicly available references to
> this configuration choice? Web searches have all returned pages of generic
> discussion about parent/child config. I'm having a discussion with some
> colleagues and it would be helpful to reference something official. [...]

the parent/child schism only arises if the child's NS RRset becomes visible.
it was once common to return the apex NS RRset with responses especially
negative responses but i'm not seeing much of that today. this matters, because:

> On 2020-04-02 13:12, Puneet Sood wrote:
> > Hi Doug,
> > 
> > Google Public DNS resolution is working now.
> > 
> > Google Public DNS is ???parent-centric??????meaning that it only uses the
> > name servers that are returned in the referral responses from the
> > parent zone name servers, and does not make NS queries to this child
> > zone. [...]

if an RDNS does not receive a child (apex) NS RRset, either because it is
never included in other responses from that zone's authority servers, or
because (as in the google "public" dns case shown above) no question ever
asks for them, then the parent-centric design is implicit, and will require
no justification or "official" "reference".

only if a stub asks the recursive for the apex NS RRset, and the recursive
cannot respond with the delegation (which would upgrade the RRset's
credibility from authority to answer), and it has to go fetch it, can the
decision to use the parent or child information when making subsequent
queries to that zone be made. i'd hope to see the higher-credibility RRset
(from the child's apex) be used in that situation, but it's going to be rare.

(i looked today at the bind9 configuration guide and it says that
rfc2308-type1 is not implemented yet. it's been 20 years, so this situation
may be permanent. i'd like it to get implemented, and i would turn it on here.)

-- 
Paul Vixie



More information about the dns-operations mailing list