Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Minor editorial updates to Roy's recent PRs #32

Merged
merged 1 commit into from
Jan 18, 2024
Merged

Minor editorial updates to Roy's recent PRs #32

merged 1 commit into from
Jan 18, 2024

Conversation

paulehoffman
Copy link
Contributor

No description provided.

bemasc
bemasc reviewed Jan 18, 2024
View reviewed changes
draft-dnsop-deleg.md

The DELEG resource record type is unusual in that it appears only on the parent zone's side of a zone cut. For example, the DELEG RRset for the delegation of "foo.example" is stored in the "example" zone rather than in the "foo.example" zone. This requires special processing rules for both name servers and resolvers, as the name server for the child zone is authoritative for the name at the zone cut by the normal DNS rules but the child zone does not contain the DELEG RRset.
DELEG records, when present, are included in referrals. When a parent and child are served from the same authoritative server, this referral will not be sent because the authoritative server will respond with information from the child zone. In that case, the resolver may query for type DELEG.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this section shows the hidden complexity of the proposed "DELEG+NS" referral response, and we shouldn't be too hasty in concluding that it is the way forward. For -00, I think it's fine but we could use some additional disclaimers about the possible downsides.

Suggested change
FOR DISCUSSION: The additional complexity here, with resolvers needing two very different resolution behaviors, merits further investigation. It also opens some potential paradoxes. For example, if the server is authoritative for the child via DELEG, but not via NS, then it cannot serve any answer that will work for both DELEG-aware and non-DELEG-aware resolvers.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair point. I also wonder how often of a case this would be and whether or not it is worth the special handling at all.

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moin!

uk and co.uk
au and com.au

comes to my mind immediately. It is similar then DS which has the exact same kind of handling.

So long
-Ralf

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this PR was closed, I opened #33 to discuss the second part of this issue.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, so I suppose this could help with sharding migration of individual second-level domains.

As much as it is probably not required in that case, there may be implications for draft-dnsop-deleg-dnssec.md though.

@fl1ger fl1ger merged commit 655211b into fl1ger:main Jan 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fl1ger fl1ger fl1ger left review comments

@bemasc bemasc bemasc left review comments

@chantra chantra chantra left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@paulehoffman @chantra @bemasc @fl1ger