[dns-operations] why does that domain resolve?

Paul Vixie paul at redbarn.org
Fri Jun 4 16:56:43 UTC 2021

On Fri, Jun 04, 2021 at 12:22:10PM -0400, Anthony Lieuallen via dns-operations wrote:
> This is a question of being parent- vs. child- centric.  The parents in the
> DNS tree delegate correctly.  The fact that the children delegate
> incorrectly can be a small or non-issue depending on resolver.

those NS RRs are authoritative at the apex of the child, but not at the leaf of
the parent. this means they have higher credibility, and also that they can be
DNSSEC signed and validated. credibility and validity _matter_.

> Google Public DNS uses only parent delegations (
> https://developers.devsite.corp.google.com/speed/public-dns/docs/troubleshooting/domains#delegation
> ).  Largely for issues like this: the child delegations can be wrong, but
> for the domain to work at all, the parent delegations must be correct.

without broad and deep failure, the quality of apex NS names will never improve.

> (Resolvers that choose to use child delegations will likely in this case
> discover that these delegations are bogus, and be left with only the valid
> delegations, from the parent.)

at which point they should return SERVFAIL. failure _matters_.

Paul Vixie

More information about the dns-operations mailing list