On 2020-11-17 at 07:56 +0000, Paul Vixie wrote: > only if a stub asks the recursive for the apex NS RRset, and the recursive > cannot respond with the delegation (which would upgrade the RRset's > credibility from authority to answer), and it has to go fetch it, can the > decision to use the parent or child information when making subsequent > queries to that zone be made. i'd hope to see the higher-credibility RRset > (from the child's apex) be used in that situation, but it's going to be rare.
Double-check: in such a scenario, if the request is for the recursive to validate DNSSEC and this zone is not opt-out, then the recursive would HAVE to get the data from the child, because the parent won't have RRSIG records for the glue NS, right? So once asked for the NS explicitly, a validating recursive handling a child zone has to use the child RRset at least for that answer; but if never asked for the NS, then the DS->DNSKEY validation is sufficient and this never needs to happen. I can see the appeal of trying to avoid the child NS, to counter fast-flux abusive domains at the cost of not letting mismanaged domains get away with quite as much divergence between parent registration and reality. -Phil _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
