[dns-operations] OpenDNS, Google, Nominet - New delegation update failure mode

[Phil Pennock]

On 2020-11-17 at 07:56 +0000, Paul Vixie wrote:
> only if a stub asks the recursive for the apex NS RRset, and the recursive
> cannot respond with the delegation (which would upgrade the RRset's
> credibility from authority to answer), and it has to go fetch it, can the
> decision to use the parent or child information when making subsequent
> queries to that zone be made. i'd hope to see the higher-credibility RRset
> (from the child's apex) be used in that situation, but it's going to be rare.

Double-check: in such a scenario, if the request is for the recursive to
validate DNSSEC and this zone is not opt-out, then the recursive would
HAVE to get the data from the child, because the parent won't have RRSIG
records for the glue NS, right?

So once asked for the NS explicitly, a validating recursive handling a
child zone has to use the child RRset at least for that answer; but if
never asked for the NS, then the DS->DNSKEY validation is sufficient and
this never needs to happen.

I can see the appeal of trying to avoid the child NS, to counter
fast-flux abusive domains at the cost of not letting mismanaged domains
get away with quite as much divergence between parent registration and
reality.

-Phil