Re: [DNSOP] howto "internal"

Tony Finch <dot@dotat.at> Thu, 26 July 2018 13:00 UTC

Return-Path: <dot@dotat.at>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 445E313112B for <dnsop@ietfa.amsl.com>; Thu, 26 Jul 2018 06:00:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z7D7h2MY2F9R for <dnsop@ietfa.amsl.com>; Thu, 26 Jul 2018 06:00:14 -0700 (PDT)
Received: from ppsw-30.csi.cam.ac.uk (ppsw-30.csi.cam.ac.uk [131.111.8.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D950131132 for <dnsop@ietf.org>; Thu, 26 Jul 2018 06:00:14 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:49836) by ppsw-30.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.136]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1fifsK-000w2v-fL (Exim 4.91) (return-path <dot@dotat.at>); Thu, 26 Jul 2018 14:00:12 +0100
Date: Thu, 26 Jul 2018 14:00:12 +0100
From: Tony Finch <dot@dotat.at>
To: Grant Taylor <gtaylor=40tnetconsulting.net@dmarc.ietf.org>
cc: dnsop@ietf.org
In-Reply-To: <5ee9c290-39c0-83d7-e182-9a34d139583a@spamtrap.tnetconsulting.net>
Message-ID: <alpine.DEB.2.20.1807261355270.3596@grey.csi.cam.ac.uk>
References: <1cb82914-0bc3-9ea7-7f69-9dc826d19e48@andreasschulze.de> <2264d840-33cc-736c-668a-a537c4da4a30@nic.cz> <alpine.DEB.2.20.1807241623300.5965@grey.csi.cam.ac.uk> <CADyWQ+HZ4i2P9qK03xK_EvZYakdduKigH87QgZ4zfUwjHjL25Q@mail.gmail.com> <5B574F67.1090806@redbarn.org> <993209cf-01b5-c6c2-cc64-74b42c398e26@spamtrap.tnetconsulting.net> <alpine.DEB.2.20.1807251209520.3596@grey.csi.cam.ac.uk> <5ee9c290-39c0-83d7-e182-9a34d139583a@spamtrap.tnetconsulting.net>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/INbtYZCkAQmw4E7HgnEOXbA4Wcg>
Subject: Re: [DNSOP] howto "internal"
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jul 2018 13:00:20 -0000

Grant Taylor <gtaylor=40tnetconsulting.net@dmarc.ietf.org> wrote:
>
> What is your opinion on blindly grafting the sub-domain onto the parent zone
> without proper delegation.

Asking for trouble. We used to do that in the dim and distant past but
not any more because it's incompatible with DNSSEC.

> As I type this I wonder about delegating to RFC 1918 address via names in an
> NS record that are within delegated zone.  Thus they would require glue
> records.  Externally I'd omit the glue records.  Internally I'd have the
> records within zone scope along with all the other zone data.
>
> I suspect that this may cause odd retry issues too.

Yes.

However, if you are willing to have views in the parent public zone, you
might as well omit the private delegation entirely in the public version.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Fisher, German Bight, Humber: East 3 or 4 veering southeast 4 or 5, increasing
6 at times. Slight, becoming slight or moderate later. Thundery showers
developing. Good, occasionally poor.