[dns-operations] why does that domain resolve?
Petr Špaček
pspacek at isc.org
Thu Jun 10 06:24:17 UTC 2021
On 04. 06. 21 18:56, Paul Vixie wrote:
> On Fri, Jun 04, 2021 at 12:22:10PM -0400, Anthony Lieuallen via dns-operations wrote:
>> This is a question of being parent- vs. child- centric. The parents in the
>> DNS tree delegate correctly. The fact that the children delegate
>> incorrectly can be a small or non-issue depending on resolver.
>
> those NS RRs are authoritative at the apex of the child, but not at the leaf of
> the parent. this means they have higher credibility, and also that they can be
> DNSSEC signed and validated. credibility and validity _matter_.
>
>> Google Public DNS uses only parent delegations (
>> https://developers.devsite.corp.google.com/speed/public-dns/docs/troubleshooting/domains#delegation
>> ). Largely for issues like this: the child delegations can be wrong, but
>> for the domain to work at all, the parent delegations must be correct.
>
> without broad and deep failure, the quality of apex NS names will never improve.
>
>> (Resolvers that choose to use child delegations will likely in this case
>> discover that these delegations are bogus, and be left with only the valid
>> delegations, from the parent.)
>
> at which point they should return SERVFAIL. failure _matters_.
>
Personally, with all the experience we have in 2021, I find the historic
decision to put authoritative NS RRs to the child side to be a poor
choice, to the point of being indefensible.
As Anthony points out, the parent version of NS has to work anyway. It
forces me to think a better course of action would be ignoring
child-side NS instead of adding complex asynchronous code paths to
validate child NS, which is not technically needed.
I mean - why waste resources on improving something which is not even
needed?
(To be clear: This is my personal opinion, and I'm sure some of my
colleagues at ISC will disagree violently.)
--
Petr Špaček
More information about the dns-operations
mailing list