Hello, On 13 Oct 2014, at 7:51 , Rob <roblo...@gmail.com> wrote:
> > So in "untechnical","policywise" language: > > do you need to delegate authority ...? > > If not, then maybe keep it simple (whichever method that is). > > In some cases, we’ll be delegating authority, so we'll simply have the domain > NS records in the foo zone, nothing else. > > In other cases, customers will be using our nameservers, so we’ll have the > SOA/NS records in the domain zone. But do we need any records in the foo > zone in that scenario? If ‘foo’ and ‘bar.foo’ are separate zones on the same name server, you need SOA+NS in ‘bar.foo' *and* NS in ‘foo'. Without DNSSEC, you can get away without NS in ‘foo', but as soon as ‘foo’ is DNSSEC signed, you need the NS records so that DNSSEC can do an (in)secure proof on the delegation. Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
