[dns-operations] Verisign won't delete obsolete glue records?

Andrew Sullivan ajs at anvilwalrusden.com
Thu Mar 4 16:38:05 UTC 2021


On Thu, Mar 04, 2021 at 04:15:42PM +0000, Tony Finch wrote:
>As far as I know, registries that don't have separate host objects require
>glue in fewer situations than Verisign-style registries.

I don't think this is true, and I don't think the model requires it either.

>For example, if I change the delegation for dotat.at to include
>ns.example.at, I don't provide an IP address for ns.example.at because it
>doesn't belong to me, and the owner of example.at would not be able to
>keep my copy of the address of ns.example.at correct.

Yes.  But in a host-object registry, the owner of the host object
needs to update the glue, and just in case it is required.  RFC 5732
says, "When a host object is provisioned for use as a DNS name server,
IP addresses SHOULD be required only as needed to generate DNS glue
records."  To me, this means that the IP need not be required on
internal hosts if the host is not the nameserver of the domain in
question (EPP calls them "superordinate" and "subordinate", but I
think most of us would say "parent" and "child").  There is an
argument to be made that a host object should be prevented from
getting an IP address attribute unless the sponsor (most people would
say "registrar") of the domain object is the sponsor of the host
object.  I know ther e is such an arugment because I made it pretty
forcefully one time (I lost ;-) )

The disadvantage of a nameserver-attribute arrangement is that, if the
domain in question gets deleted, there isn't really a way within EPP
to refuse that, because there's no necessary relationship between the
nameserver attributes (they're just attributes, after all) and the
domain object that is being removed.  So there's a greater opportunity
to create lame delegations.

Best regards,


Andrew Sullivan
ajs at anvilwalrusden.com

More information about the dns-operations mailing list