fl1ger
commented
4 years ago As an NS2T is not indicating a zone cut it can't be below a zone cut as it always has to be in the authoritative zone for the domain. I agree on the signing, lets keep it how DNSSEC is working currently.
As I understand it, NS2 is like NS and indicates a zone cut, while NS2T does not. At a zone cut, the authoritative copies of them are at the apex of the child zone and whatever is in the parent is glue except for the hack that parent DS is signed. I don't think I can come up with any signing scheme that works and allows both NS2 and NS2T at the same name. So how about saying you can't do that? The location of NS2T is arbitrary so I don't think that loses anything.
Bonus problem: if the NS2T can be below the zone cut, you'd need glue copies in the parent zone, which would lead to a rather convoluted process to follow the gluey NS2T, then check the DS/DNSKEY in the child zone, then see if there's an authoritative copy of the NS2T in the child and if not, unwind the whole thing. Again, that doesn't strike me as very useful so I'd suggest a rule that NS2T can't be below the target, nor can it be below the target of any NS needed to resolve its name to avoid resolution glue loops.