[dns-operations] why does that domain resolve?

Paul Vixie paul at redbarn.org
Fri Jun 11 00:06:59 UTC 2021

Viktor Dukhovni wrote on 2021-06-10 12:04:
> On Thu, Jun 10, 2021 at 08:24:17AM +0200, Petr Špaček wrote:
>> ...
> I'm inclined to agree.  Given a time-machine, and perverse priorities to
> then use it to try to undo DNS "mistakes", I'd be inclined to try to
> make "NS" be authoritative on the parent side, just like DS, and
> deprecate child-side NS entirely.
> Of course that would mean that signed parent zones would sign every
> delegation, no opt-out (another win IMHO, that is viable now, but
> would have a been a hard sell back in ~2010).

given the world as it is, where credibility rules and authority status
make the apex NS more authentic than the leaf NS, and in the absence of
a time machine, these flights of fancy aren't material. but it should
help explain why the ns-revalidation draft exists and says what it does.

in the actual timeline, apex NS is very often more complete and more
accurate than leaf NS, simply by virtue of being directly controllable
by the zone administrator. work has been started several times to "pull
up" the apex values to replace the leaf values, but we never finish it.

i know of many instances where the leaf NS is half out of date, and that
the apex NS if learned will be fully up to date. we don't need to study
the matter, but i do want everyone to know that anecdotes are available
to fit _any narrative_ on this topic.


Sent from Postbox

More information about the dns-operations mailing list