On 4/19/13, Dave Crocker <dhc2@dcrocker.net> wrote:
On 4/19/2013 12:57 PM, Tony Finch wrote:
To reinforce Joe's point, there doesn't even need to be a zone cut for there to be an administrative cut. There are various ISPs and dynamic DNS providers that put all their users in the same zone, and the common [snip]
In this case, there really is no administrative cut though... the provider administers the DNS record.
The fact that they often correlate moderately well makes it easy to miss the facts that a) that's not their job, and b) the correlation isn't perfect. And the imperfections matter.
That is why there is the current interest in developing a cheap, accurate method that /is/ intended to define organizational boundaries.
It seems this is more about providing a security function to DNS, to inform the public, about where the responsible parties change. The right place for this, is clearly the DNSSEC extensions.... If the DS record identifies a different signer, then you have an administrative split, or if the e-mail address field in the SOA fields of the parent zone are different, then you have an administrative split, OR if one of the two zones has RP (responsible party records), and the list of RP records are different for the two zones, then you have an administrative split. If the DS record identifies the same signer, AND the e-mail address in the SOA records is the same; or the list of e-mail addresses in the two zones' RP records are identical, then you don't have an administrative split. -- -JH