[dd] Re: Security Considerations: NS Weaker Than DELEG

Havard Eidnes <he@uninett.no> Fri, 06 March 2026 10:39 UTC

Return-Path: <he@uninett.no>
X-Original-To: dd@mail2.ietf.org
Delivered-To: dd@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 80C7AC58B110; Fri, 6 Mar 2026 02:39:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=uninett.no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OEJqlOAaq8wt; Fri, 6 Mar 2026 02:39:42 -0800 (PST)
Received: from smistad.uninett.no (smistad.uninett.no [158.38.62.77]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 45F49C58B104; Fri, 6 Mar 2026 02:39:42 -0800 (PST)
Received: from smistad.uninett.no (smistad.uninett.no [158.38.62.77]) by smistad.uninett.no (Postfix) with ESMTP id 73E9C43ECFD; Fri, 6 Mar 2026 11:39:40 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uninett.no; s=he201803; t=1772793580; bh=MrEjrMci3RDXoly8sI3KK+Eqh2EskTSvH57KByrbl1Q=; h=Date:To:Cc:Subject:From:In-Reply-To:References:From; b=f+AOZDFICfDh6fh1r06UIdJfJ8tKgDpmVptGqRRFSLJj0uqVCHNjJVOdgChU38+G3 0uomMzMKNHI+sz3y7Zqe9z5Q2nQqo/wioXh7/ypA+0yKu3tVJ6w+XPqfpGOPuUfgaO ym3Br0TjIETLzWglZrmvQD+9vGTzW4jao9WN6II8=
Date: Fri, 06 Mar 2026 11:39:40 +0100
Message-Id: <20260306.113940.1731305253832688211.he@uninett.no>
To: jabley=40strandkip.nl@dmarc.ietf.org
From: Havard Eidnes <he@uninett.no>
In-Reply-To: <B2DE1BC4-6576-403E-AC2D-1DD85203F14B@strandkip.nl>
References: <20260305.165440.316225281820983390.he@uninett.no> <B2DE1BC4-6576-403E-AC2D-1DD85203F14B@strandkip.nl>
X-Mailer: Mew version 6.10 on Emacs 29.4
Mime-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: 2L3MR6AH5VAURIK2IVK355I5KI5OCVSG
X-Message-ID-Hash: 2L3MR6AH5VAURIK2IVK355I5KI5OCVSG
X-MailFrom: he@uninett.no
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: pspacek@isc.org, dd@ietf.org, miek@miek.nl, jabley@strandkip.nl, paul@redbarn.org, deleg-chairs@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [dd] Re: Security Considerations: NS Weaker Than DELEG
List-Id: DNS Delegation <dd.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dd/LHUvzffHgx5yJqNoBtu9jUfCV00>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dd>
List-Help: <mailto:dd-request@ietf.org?subject=help>
List-Owner: <mailto:dd-owner@ietf.org>
List-Post: <mailto:dd@ietf.org>
List-Subscribe: <mailto:dd-join@ietf.org>
List-Unsubscribe: <mailto:dd-leave@ietf.org>

>> I'm otherwise with you that the protocol itself should not
>> mandate NS record presence in all zones, be that human-maintained
>> or synthesized, any more than the cautionary notes now in section
>> 6 in draft -07.
> 
> I'm curious since you expressed a related opinion above what
> you think about what I've said previously regarding the danger
> (as I see it) of name errors propagating through resolvers,
> forwarder and application caches.
>
> Do you have a solution in mind that avoids my concern in order
> to achieve what you say above, or do you think my concern is
> unwarranted?

I can't claim that all my utterances have been 100% self-consistent,
sorry...

That said:

The concern about NXDOMAIN propagating from a non-DELEG recursive
resolver to a "downstream" DELEG-aware recursive resolver is, I
beleive, diminished or eliminated by declaring such a setup to fall in
the "do not do that" category: if you need to configure a DELEG-aware
recursive resolver with a forwarder, it is up to you as a DNS resolver
administrator to ensure that the pointed-to upstream recursive
resolvers are all DELEG-aware.  Said with other words: configuring a
DELEG-aware recursive resolver to use a non-DELEG-aware recursive
resolver as forwarder is a "deployment error" and is "not supported".
"You're threading on ground outside the standard, and do not be
surprised that bad things might happen, e.g. some parts of the name
space which are DELEG-only delegated may spuriously(?) become
unreachable."

The mental model I have which justifies NXDOMAIN in the non-DELEG case
for a name in a DELEG-only zone is that the publishing name servers
need to present a view to the non-DELEG-supporting recursive resolvers
of the DNS name space which is consistent with the DNS as if the DELEG
record "has no special properties", in particular, "has no name space
delegating" properties, in other words, behaves as any other "unknown"
RR type.  A non-DELEG-aware recursive resolver can never look up names
residing in a DELEG-only zone, and the NXDOMAIN is a cacheable signal
that there is no point in trying.

> Related, in draft-ietf-deleg-requirements we see:
>
> S5. DELEG should allow for backward compatibility to the
> conventional NS-based delegation mechanism. That is, a zone operator
> who wants to maintain a single source of truth of delegation
> information using DELEG should be able to easily have Do53
> delegations derived from it.

Are we fully agreed that this needs to be a protocol mandate?

From a protocol perspective, the zone administrator may register both
NS and in parallel DELEG records which express the same method of
delegation, but that does not *need* to be something the protocol
provides, but can instead be solved at the implementation or
administrator interface level.

Some might claim that allowing parallel publication of DELEG and NS is
the asked-for "backward compatibility".

It's also worth noting that if DELEG should express exactly the same
as what NS does, what is then the point of having the DELEG records
there in the first place?  (I'll claim "very little".)

On the other hand, if the zone owner wants to start pushing for secure
transport to DNS publishing name servers, that is something which
cannot be expressed with NS records, so in that case you cannot have a
"single source of truth" for those two delegation mechanisms.


I don't know, it's all sort of a hot mess...


Regards,

- Håvard