Re: [DNSOP] [Ext] WGLC rfc8499bis one week extension for lame delegation definition

[Havard Eidnes <he@uninett.no>]

>>    "A lame delegation is said to exist when one or more authoritative
>>    servers designated by the delegating NS RRset or by the child's apex
>>    NS RRset answers non-authoritatively [or not at all] for a zone".
>>
>> ... without the "or not at all" part (so, an answer is required for
>> "lameness").

I'm agreeing with the above, and think it is a precise
description of the term under discussion.

> I don't think that is complete.

I disagree.

> If all the parental NS records point to properly working
> nameservers, but the authoritative nameservers claim an
> additional NS record, I would also call the delegation
> lame.

In that case (and no other conditions given), I would simply call
the delegation inconsistent.

As has been said elsewhere, many recursors will let the NS RRset
from one of the authoritative name servers for the child zone
override the NS RRset received from one of the name servers of
the parent zone.

However, at this point in the description, the "additional" name
server *could* be have been configured to serve the zone, and
nothing untoward would happen operationally as a result.
However, the delegation would still be inconsistent.

> Especially if that additional nameserver specified in the
> authoritative NS RRset is responding non-authoritatively.

Then that response will be an indication that the delegation to
that name server would be characterized as being "lame" (even
though the corresponding NS record doesn't come from the parent
zone; this is covered by the quoted text above).

> This might not be lame on the initial queries, but if the
> resolver is child centric or validating, that broken
> authoritative NS will end up getting queried and a lame answer
> would be given.

Correct.

> How about:
>
>     "A lame delegation is said to exist when the NS RRset of a zone is
>      different at the parent and child nameservers, with the mismatched
>      authoritative servers either listed at the parent or child answering
>      non-authoritatively for that zone."

I don't think this is a good definition because to me this over-
focuses on the "inconsistent" aspect, and it is not so that every
inconsistent delegation includes an instance of a lame
delegation.

On the other hand, you can have a perfectly consistent delegation
(NS RRsets from parent and child zone are identical), but still
have an instance of a lame delegation because one of the
delegated-to name servers answers non-authoritatively for the
zone in question.

I think the quoted definition at the top of this message more
precisely describes my perception of the term.  And, yes, I think
that you need to get a (non-authoritative) response in order to
say that the delegation of a given zone to a given name server is
lame.

Regards,

- Håvard