Re: [dnsext] zone cut semantics

[Olafur Gudmundsson <ogud@ogud.com>]

On 20/02/2011 3:44 PM, Jim Reid wrote:
> On 20 Feb 2011, at 20:14, Brandon Black wrote:
>
>> Isn't this really a matter of semantics?
>
> Yes: zone cut semantics, not language semantics.
>
>> The parent zone is
>> authoritative for everything beneath itself, even if it choses to use
>> that power of authority to give a delegation response. e.g. the .com
>> servers are authoritative for www.example.com, but they choose to
>> delegate that answer to the NS for example.com.
>
> Nope. Query the .com name servers for the NS records for example.com.
> They correctly return a non-authoritative answer. It's only the name
> servers for example.com that are authoritative for example.com and will
> authoritatively answer that query. In other words, it's the child that's
> responsible for the zone's authoritative NS RRset, not the parent. Which
> is how things should be when you consider what delegation actually
> means: crossing an administrative boundary from one authority to another.
>
> Please think again about what you posted. The inference of what you say
> is that the root servers are authoritative for everything. That's
> clearly not true.
>

In RCF103x with RFC2181 clarification the  world it was simple:
Parent zone is authoritative for the existence of delegation, child 
servers are authoritative for content.

==> Everything but the presence of NS records is hint/glue in parent 
servers.


But we could not keep it simple forever in the DNSSEC world thus this 
amendment:
Parent is Authoritative for the contents DS record and NSEC/NSEC3 
records at delegation that prove if the delegation exists and if there 
is a trust path from parent to child.

	Olafur