I realised that the primary/secondary split I talked about in my previous message turned out to be the wrong idea. There were lots of complicating issues that made it clear that auth server ANAME behaviour does not cleanly follow the traditional primary/secondary split.
Instead I think the split should be between active ANAMEs, where an auth server fetches address records from the target, and passive ANAMEs, where the server just uses the addresses it got from the master file or zone transfer etc. A server can be active if it has the private signing keys or if the zone is unsigned. It has to be passive if the zone is signed and it lacks keys. It doesn’t matter how the zone contents are provided to the server. I still think it would be helpful to have separate sections in the spec for active and passive auth servers. This active/passive split could also be extended to recursive servers, tho the logic is a bit different. (See previous message for details.) I don’t know whether or not it makes sense to have auth servers be similarly sensitive to DO and CD. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop