[RSSAC Caucus] Curious difference in glue TTL for root servers

[Petr Špaček]

On 19. 06. 20 1:29, Mukund Sivaraman wrote:
> On Fri, Jun 19, 2020 at 04:55:52AM +0530, Mukund Sivaraman wrote:
>> On Thu, Jun 18, 2020 at 10:34:40PM +0000, Wessels, Duane wrote:
>>> My guess is that some implementations take the glue from the root zone
>>> and some take it from the root-servers.net zone (which has the 3600000
>>> TTL).
>>
>> You are probably right. If this is the case, then there is the question
>> of which is more correct for use as glue. Though the root servers also
>> serve the root-servers.net zone and are authoritative for them, when
>> glue exists as glue within the root zone, should the root namesevers not
>> use the glue in preference?
>>
>> Ignoring the case of . and root-servers.net, assume a secondary
>> authoritative NS is configured for a parent zone and child zone a couple
>> of levels within the parent domain, which are transferred in from
>> different primary NSs (under control of different entities).  The
>> authoritiative NS does not know if the parent and/or slave are delegated
> 
> parent and/or *child zone* are delegated
> 
>> to it (as a resolver would) - it just serves zone data.  If one is to
>> assume that the parent zone is delegated to the NS, and the child zone
>> is delegated to some other nameserver (whereas a similarly named zone
>> exists on this NS), it seems more correct that glue that exists as glue
>> within the parent zone be used, and not address records from the child
>> zone (even though the NS thinks it is configured as an authority for the
>> child).

I would say it does not matter because glue and auth data are supposed to be the same [https://tools.ietf.org/html/rfc1034#section-4.2.2] so implementations should be free to chose either approach.

Anyway this is probably material for dnsop WG.

-- 
Petr Špaček  @  CZ.NIC