Parent is not authoritative of the NS in the delegation. The same with any glue address records on or below the delegation point. The parent does not sign non-authoritative records.
Parent is authoritative of any DS records and any NSEC records in the delegation point. Those are signed by the parent. Mats --- Mats Dufberg mats.dufb...@internetstiftelsen.se<mailto:mats.dufb...@internetstiftelsen.se> Technical Expert Internetstiftelsen (The Swedish Internet Foundation) Mobile: +46 73 065 3899 https://internetstiftelsen.se/ From: DNSOP <dnsop-boun...@ietf.org> on behalf of Ólafur Guðmundsson <olafur=40cloudflare....@dmarc.ietf.org> Date: Tuesday, 26 July 2022 at 15:29 To: Petr Špaček <pspa...@isc.org> Cc: dnsop@ietf.org WG <dnsop@ietf.org> Subject: Re: [DNSOP] signing parent-side NS (was: Re: Updating RFC 7344 for cross-NS consistency) Parent is authoritative for the existence of the delegation Child is authoritative for the contents of the delegation DNS design did not take this into account thus there is no "range" of Parent only records, DS is the only record that is explicitly a "violation" of this IMHO RFC103x should have defined a DEL record in parent and NS in the child then resolvers could have kept both sides. Olafur On Tue, Jul 26, 2022 at 9:22 AM Petr Špaček <pspa...@isc.org<mailto:pspa...@isc.org>> wrote: On 28. 06. 22 16:20, Bob Harold wrote: > But the parent NS set is not covered by DNSSEC, and thus could be spoofed?? > (Wish we could fix that!) I share your wish. Does anyone else want to contribute? Can people here share their memories of why it is not signed? I wasn't doing DNS when this was designed and I think it would be good to understand the motivation before we start proposing crazy things. Thank you for your time. -- Petr Špaček _______________________________________________ DNSOP mailing list DNSOP@ietf.org<mailto:DNSOP@ietf.org> https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
