Hello,
sorry for chiming in a bit late but I find part of this proposal a bit
harmful:
> …the Parental Agent, knowing both the Child zone name and its NS
hostnames, MUST ascertain that queries are made against all (reachable)
nameservers listed in the Child's delegation from the Parent…
You cannot send queries to hostnames, you have to query an IP address.
So you have to somehow convert each NS hostname into a set of IP addresses.
Normally people do this by asking the local recursive resolver. But with
the spirit of this draft this does not seems to be reasonable thing to
do because in a multi-signer scenario, each party can resolve the same
hostname to a completely different set of IP addresses. Using local
recursive resolver might thus bring completely random results based on
which authoritative server will it query.
In fact, every single branch of the DNS tree can lead to resolving a
hostname to a completely different set of IP addresses, including the
possible inconsistency between the 13 hostnames of the root servers.
Properly resolving a hostname into a set of all possible IP addresses
would therefore require reimplementing a recursive resolver to make it
follow not only one path but all the possible paths through the DNS
tree. This would be extremely hard to implement and such a resolver
would be extremely resource intensive to operate.
Then, suppose you get multiple IP addresses for a host name. Is it
enough to ask one randomly selected address or does one have to query
every single IP address the hostname resolves to? Again I see no
guidance for this in the draft.
I think these are crucial questions influencing interoperability of
implementations following this draft. I find it therefore harmful to
just specify that you MUST query each NS hostname, without describing
the details of how to do such a thing in a consistent and useful way.
Since Oli Schacher claims to have this draft already implemented, I
wonder, what decisions did you take when implementing this? How exactly
does your implementation works for hostname that resolve to inconsistent
sets of IP addresses?
Also, appendix A1 describes an impossible failure scenario, considering
that Section 6.2 of RFC 7344 says that:
> The Parental Agent MUST ensure that previous versions of the CDS/
> CDNSKEY RRset do not overwrite more recent versions.
--
Best regards,
Ondřej Caletka
RIPE NCC
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
