Bill,
On Tue, Nov 27, 2007 at 08:57:13PM +0000, [EMAIL PROTECTED] wrote:
> On Tue, Nov 27, 2007 at 02:05:55PM -0500, Edward Lewis wrote:
> > At 6:25 PM +0000 11/27/07, [EMAIL PROTECTED] wrote:
> >
> > > then we have a small issue... you as zone admin, can't
> > > dictate which IP's i must use on my machines, since you don't
> > > control my connectivity. as zone admin, your job is to
> > > provide accurate mapping betwn lable and address ... the
> > > extent of your influence is over the lables used, not their
> > > IP addresses.
> >
> > Since we are getting into pronouns, let's clarify what the roles are.
> > At least these are what I think we are talking about.
> >
> > Zone admin = the registrant of the domain owning the NS set.
> > You ("I" above) = the dude that has the root password to a machine
> > that is mentioned in the NS set.
> >
> > (As opposed to zone admin being the registry that the data is going in to.)
> >
> > It is the prerogative of you to do what it takes to get your machine
> > to function correctly. It's the prerogative of the zone admin to
> > include (or not) your machine in the NS set.
> >
> > A zone admin ought to be aware of what the state of the slave servers
> > are. (That's my main point.) There are minor tweaks, like IP
> > addresses, and then there are major tweaks, like letting the domain
> > lapse. A responsible zone admin would be up to date on what the
> > slave server admins are up to. So, in this case, when the slave
> > server changes IP addresses, this goes to the zone admin, who would
> > then have to update the IP addresses registered.
>
> a concrete example:
>
> i have a zone, example.org and chose the following
> nameservers:
>
> moe.rice.edu
> ns.isi.edu
> PDC.example.org
Responsible registry admins would KISS, this is the view of what I
think one of them should do.
> as the admin of PDC.example.org, I know what IP addresses
> are assigned and can change them on whim. However, It is
> the Height of Arrogance to presume I can tell the rice.edu
So at delegation time it'll mandate you to inform the glue record and
will check it for authority on example.org.
> or isi.edu people what IP addresses to use on their machines.
> as the admin for example.org, I clearly have the right to
> choose/select nameservers for my delegation that meet my
> needs. Now the poor .org admin - he has to beleive me when
> i tell him what nameservers will be authoritative for example.org.
> and its prolly prudent for him to contact the admins of
> ns.isi.edu and moe.rice.edu to collect the correct IP addresses
> for those nodes... If I was the poor sod responsible for
> .org,
It'll just use plain old A resolution for these two names, will query
them for authority on example.org.
> I would not really beleive that the moron holding example.org
> had done his homework and actually -KNEW- what the IP addresses
> were for these nodes or was in a position to keep that data
> current. but that would be me.
Responsible registry admins in your example would just collect glue
for PDC.example.org and will not accept delegation or a change on it
if any of the 3 DNS authority checks failed.
For the .org registry admin there is no need to collect or know who is
the admin and what are the addresses of moe.rice.edu and ns.isi.edu,
let the plain old DNS does its magic.
Fred
ps, btw this simple and functional policy is valid for any zone,
including the root !
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www1.ietf.org/mailman/listinfo/dnsop
