Paul Vixie wrote:

>>The fix is, again, that, if you are told that NS for
>>is with glue-A of is, the
>>glue-A must be cached with a tag that the information is valid only
>>as NS of

> i'm comfortable with that approach, although i think it's safe to use it as
> glue for any NS RR,

It is unsafe, because, will give you forged answer for other
queries to

> will you
> propose text for the forgery-resilience draft that expresses your point of
> view?

"Glue A from a name server is, in general, outside of the zone served
by the name server and is never authoritative. The glue can be used
only for the original query."

> I'm unsure if I understand you. The resolvers I use would ignore the
> glue-A of entirely in this case, since the server was
> being asked a question where only its authority for things ending on
> is assumed.

My point is that that is the misdirected approach solving nothing.

Glue A can never be authoritative, even if you wrongly think there
were authority.

Glue A can always be cached, though it can be used only as the glue
to proceed the original query.

Masataka Ohta

to unsubscribe send a message to with
the word 'unsubscribe' in a single line as the message text body.