A pretty significant change in resolver behavior is proceeding:

jtk@infosec.exchange

A pretty significant change in resolver behavior is proceeding:

"[...] BIND 9 is switching to a parent-centric model of delegations. [...] The NS records in the child domain will be treated as normal DNS records and returned as authoritative data, but they will no longer overwrite the delegation data for the domain."

BIND 9.21+/9.22: parent-centric delegations and no TTL-based cleaning

(lists.isc.org)

So much of what you may have learned about how #DNS works around the turn of the century is now out of date.

paul_ipv6@infosec.exchange

@jtk

having parent/child mismatches in NS for delegation has always been non-deterministic, but this will definitely surprise folks who've been counting on one broken way of doing things.

reviewing operational procedures for how to change NS when moving registrars is definitely one place to check for this.

i'm still not totally sold on DELEG but this will definitely be one step towards making that happen.

jtk@infosec.exchange

@paul_ipv6 I'm in favor ofthe parent-centric approach. When I was doing some research on DNS inconsistency, making the parent NS RRset the primary and eventually only authoritative source of that data seemed to be both practical and sensible, at least on paper. I'm not confident this would be problem-free (e.g., RRset update agility) however.

I'm also not sure about DELEG-related stuff, but I think that can be treated as a separated issue.