Hi all, On 24 Jun 2025, at 13:42, Ondřej Caletka <[email protected]> wrote:
> sorry for chiming in a bit late but I find part of this proposal a bit > harmful: > > > …the Parental Agent, knowing both the Child zone name and its NS hostnames, > > MUST ascertain that queries are made against all (reachable) nameservers > > listed in the Child's delegation from the Parent… > > You cannot send queries to hostnames, you have to query an IP address. So you > have to somehow convert each NS hostname into a set of IP addresses. I am also unsure about this, because it feels like it's not a very DNS way of doing things. (I have mentioned this to Peter before, I think, but I can't currently remember whether it was on this list or somewhere else). Usually we accept any response from any authoritative nameserver as authoritative and don't poll all possible authoritative nameservers. We understand that there might be reasons why the responses are different, because we know that the DNS is only loosely-coherent for various reasons. I am uncomfortable with this. Perhaps it's fine. Perhaps therapy would help. Another potential pitfall is the assertion that the NS set either side of the zone cut is identical. Despite much fervent advice to the contrary, it is often possible for the delegation set in the parent to be different from the apex set in the child without any resulting failure. I used to work somewhere where the two sets were deliberately different for a reason (I forget what the reason was, but I remember there was a reason). I am not trying to reignite that particular debate, but I'll observe that "all (reachable) nameservers listed in the child's delegation from the parent" is not always the same as "all nameservers that are authoritative for the child zone". The parenthetical "reachable" also makes me wonder a bit. If it's ok not to consult some nameservers because they are not reachable from a particular vantage point, is not also ok to ignore them at other times? Is any of this necessary? Is it not sufficient to make the publication of information the child zone's administrator's problem? We do we find it necessary for the parent to assume the child is doing a poor job? Note we are talking about the DNS here, in case anybody of child-rearing age is feeling triggered. > Normally people do this by asking the local recursive resolver. But with the > spirit of this draft this does not seems to be reasonable thing to do because > in a multi-signer scenario, each party can resolve the same hostname to a > completely different set of IP addresses. Using local recursive resolver > might thus bring completely random results based on which authoritative > server will it query. This seems like it could be true in some case but I am not sure why it needs to matter. It has the aroma of the same kind of bootstrapping problem that brought the gift of glue records into our lives, for example, gifts that we enjoy so much we often forget they are there. Can we not assume that either the hostnames concerned are able to be resolved, or they are not able to resolved in which case there is a fault that someone should fix? Joe _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
