Paul Vixie wrote:

>>The fix is, again, that, if you are told that NS for www.example1.com
>>is ns.example2.com with glue-A of ns.example2.com is 1.2.3.4, the
>>glue-A must be cached with a tag that the information is valid only
>>as NS of www.example1.com.


> i'm comfortable with that approach, although i think it's safe to use it as
> glue for any NS RR,


It is unsafe, because, 1.2.3.4 will give you forged answer for other
queries to ns.example2.com.

> will you
> propose text for the forgery-resilience draft that expresses your point of
> view?


"Glue A from a name server is, in general, outside of the zone served
by the name server and is never authoritative. The glue can be used
only for the original query."

> I'm unsure if I understand you. The resolvers I use would ignore the
> glue-A of ns.example2.com entirely in this case, since the server was
> being asked a question where only its authority for things ending on
> example1.com is assumed.


My point is that that is the misdirected approach solving nothing.

Glue A can never be authoritative, even if you wrongly think there
were authority.

Glue A can always be cached, though it can be used only as the glue
to proceed the original query.

Masataka Ohta


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: