[dns-operations] why does that domain resolve?
ietf-dane at dukhovni.org
Thu Jun 10 19:04:38 UTC 2021
On Thu, Jun 10, 2021 at 08:24:17AM +0200, Petr Špaček wrote:
> Personally, with all the experience we have in 2021, I find the historic
> decision to put authoritative NS RRs to the child side to be a poor
> choice, to the point of being indefensible.
> As Anthony points out, the parent version of NS has to work anyway. It
> forces me to think a better course of action would be ignoring
> child-side NS instead of adding complex asynchronous code paths to
> validate child NS, which is not technically needed.
I'm inclined to agree. Given a time-machine, and perverse priorities to
then use it to try to undo DNS "mistakes", I'd be inclined to try to
make "NS" be authoritative on the parent side, just like DS, and
deprecate child-side NS entirely.
Of course that would mean that signed parent zones would sign every
delegation, no opt-out (another win IMHO, that is viable now, but
would have a been a hard sell back in ~2010).
More information about the dns-operations