[dns-operations] why does that domain resolve?

Petr Špaček pspacek at isc.org
Thu Jun 10 06:24:17 UTC 2021

On 04. 06. 21 18:56, Paul Vixie wrote:
> On Fri, Jun 04, 2021 at 12:22:10PM -0400, Anthony Lieuallen via dns-operations wrote:
>> This is a question of being parent- vs. child- centric.  The parents in the
>> DNS tree delegate correctly.  The fact that the children delegate
>> incorrectly can be a small or non-issue depending on resolver.
> those NS RRs are authoritative at the apex of the child, but not at the leaf of
> the parent. this means they have higher credibility, and also that they can be
> DNSSEC signed and validated. credibility and validity _matter_.
>> Google Public DNS uses only parent delegations (
>> https://developers.devsite.corp.google.com/speed/public-dns/docs/troubleshooting/domains#delegation
>> ).  Largely for issues like this: the child delegations can be wrong, but
>> for the domain to work at all, the parent delegations must be correct.
> without broad and deep failure, the quality of apex NS names will never improve.
>> (Resolvers that choose to use child delegations will likely in this case
>> discover that these delegations are bogus, and be left with only the valid
>> delegations, from the parent.)
> at which point they should return SERVFAIL. failure _matters_.

Personally, with all the experience we have in 2021, I find the historic 
decision to put authoritative NS RRs to the child side to be a poor 
choice, to the point of being indefensible.

As Anthony points out, the parent version of NS has to work anyway. It 
forces me to think a better course of action would be ignoring 
child-side NS instead of adding complex asynchronous code paths to 
validate child NS, which is not technically needed.

I mean - why waste resources on improving something which is not even 

(To be clear: This is my personal opinion, and I'm sure some of my 
colleagues at ISC will disagree violently.)

Petr Špaček

More information about the dns-operations mailing list