[dd] Re: Security Considerations: NS Weaker Than DELEG
Havard Eidnes <he@uninett.no> Fri, 06 March 2026 10:39 UTC
Return-Path: <he@uninett.no>
X-Original-To: dd@mail2.ietf.org
Delivered-To: dd@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 80C7AC58B110; Fri, 6 Mar 2026 02:39:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=uninett.no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OEJqlOAaq8wt; Fri, 6 Mar 2026 02:39:42 -0800 (PST)
Received: from smistad.uninett.no (smistad.uninett.no [158.38.62.77]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 45F49C58B104; Fri, 6 Mar 2026 02:39:42 -0800 (PST)
Received: from smistad.uninett.no (smistad.uninett.no [158.38.62.77]) by smistad.uninett.no (Postfix) with ESMTP id 73E9C43ECFD; Fri, 6 Mar 2026 11:39:40 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uninett.no; s=he201803; t=1772793580; bh=MrEjrMci3RDXoly8sI3KK+Eqh2EskTSvH57KByrbl1Q=; h=Date:To:Cc:Subject:From:In-Reply-To:References:From; b=f+AOZDFICfDh6fh1r06UIdJfJ8tKgDpmVptGqRRFSLJj0uqVCHNjJVOdgChU38+G3 0uomMzMKNHI+sz3y7Zqe9z5Q2nQqo/wioXh7/ypA+0yKu3tVJ6w+XPqfpGOPuUfgaO ym3Br0TjIETLzWglZrmvQD+9vGTzW4jao9WN6II8=
Date: Fri, 06 Mar 2026 11:39:40 +0100
Message-Id: <20260306.113940.1731305253832688211.he@uninett.no>
To: jabley=40strandkip.nl@dmarc.ietf.org
From: Havard Eidnes <he@uninett.no>
In-Reply-To: <B2DE1BC4-6576-403E-AC2D-1DD85203F14B@strandkip.nl>
References: <20260305.165440.316225281820983390.he@uninett.no> <B2DE1BC4-6576-403E-AC2D-1DD85203F14B@strandkip.nl>
X-Mailer: Mew version 6.10 on Emacs 29.4
Mime-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: 2L3MR6AH5VAURIK2IVK355I5KI5OCVSG
X-Message-ID-Hash: 2L3MR6AH5VAURIK2IVK355I5KI5OCVSG
X-MailFrom: he@uninett.no
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: pspacek@isc.org, dd@ietf.org, miek@miek.nl, jabley@strandkip.nl, paul@redbarn.org, deleg-chairs@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [dd] Re: Security Considerations: NS Weaker Than DELEG
List-Id: DNS Delegation <dd.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dd/LHUvzffHgx5yJqNoBtu9jUfCV00>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dd>
List-Help: <mailto:dd-request@ietf.org?subject=help>
List-Owner: <mailto:dd-owner@ietf.org>
List-Post: <mailto:dd@ietf.org>
List-Subscribe: <mailto:dd-join@ietf.org>
List-Unsubscribe: <mailto:dd-leave@ietf.org>
>> I'm otherwise with you that the protocol itself should not >> mandate NS record presence in all zones, be that human-maintained >> or synthesized, any more than the cautionary notes now in section >> 6 in draft -07. > > I'm curious since you expressed a related opinion above what > you think about what I've said previously regarding the danger > (as I see it) of name errors propagating through resolvers, > forwarder and application caches. > > Do you have a solution in mind that avoids my concern in order > to achieve what you say above, or do you think my concern is > unwarranted? I can't claim that all my utterances have been 100% self-consistent, sorry... That said: The concern about NXDOMAIN propagating from a non-DELEG recursive resolver to a "downstream" DELEG-aware recursive resolver is, I beleive, diminished or eliminated by declaring such a setup to fall in the "do not do that" category: if you need to configure a DELEG-aware recursive resolver with a forwarder, it is up to you as a DNS resolver administrator to ensure that the pointed-to upstream recursive resolvers are all DELEG-aware. Said with other words: configuring a DELEG-aware recursive resolver to use a non-DELEG-aware recursive resolver as forwarder is a "deployment error" and is "not supported". "You're threading on ground outside the standard, and do not be surprised that bad things might happen, e.g. some parts of the name space which are DELEG-only delegated may spuriously(?) become unreachable." The mental model I have which justifies NXDOMAIN in the non-DELEG case for a name in a DELEG-only zone is that the publishing name servers need to present a view to the non-DELEG-supporting recursive resolvers of the DNS name space which is consistent with the DNS as if the DELEG record "has no special properties", in particular, "has no name space delegating" properties, in other words, behaves as any other "unknown" RR type. A non-DELEG-aware recursive resolver can never look up names residing in a DELEG-only zone, and the NXDOMAIN is a cacheable signal that there is no point in trying. > Related, in draft-ietf-deleg-requirements we see: > > S5. DELEG should allow for backward compatibility to the > conventional NS-based delegation mechanism. That is, a zone operator > who wants to maintain a single source of truth of delegation > information using DELEG should be able to easily have Do53 > delegations derived from it. Are we fully agreed that this needs to be a protocol mandate? From a protocol perspective, the zone administrator may register both NS and in parallel DELEG records which express the same method of delegation, but that does not *need* to be something the protocol provides, but can instead be solved at the implementation or administrator interface level. Some might claim that allowing parallel publication of DELEG and NS is the asked-for "backward compatibility". It's also worth noting that if DELEG should express exactly the same as what NS does, what is then the point of having the DELEG records there in the first place? (I'll claim "very little".) On the other hand, if the zone owner wants to start pushing for secure transport to DNS publishing name servers, that is something which cannot be expressed with NS records, so in that case you cannot have a "single source of truth" for those two delegation mechanisms. I don't know, it's all sort of a hot mess... Regards, - Håvard
- [dd] Security Considerations: NS Weaker Than DELEG Petr Špaček
- [dd] Re: [Ext] Re: Security Considerations: NS We… Paul Vixie
- [dd] Re: [Ext] Re: Security Considerations: NS We… Libor Peltan
- [dd] Re: Security Considerations: NS Weaker Than … Philip Homburg
- [dd] Re: [Ext] Re: Security Considerations: NS We… Paul Hoffman
- [dd] Re: [Ext] Re: Security Considerations: NS We… Ralf Weber
- [dd] Re: [Ext] Re: Security Considerations: NS We… Philip Homburg
- [dd] Re: [Ext] Re: Security Considerations: NS We… Petr Špaček
- [dd] Re: [Ext] Re: Security Considerations: NS We… Joe Abley
- [dd] Re: [Ext] Re: Security Considerations: NS We… Joe Abley
- [dd] Re: [Ext] Re: Security Considerations: NS We… Petr Špaček
- [dd] Re: Security Considerations: NS Weaker Than … Petr Špaček
- [dd] Re: [Ext] Re: Security Considerations: NS We… Miek Gieben
- [dd] Re: [Ext] Re: Security Considerations: NS We… Libor Peltan
- [dd] Re: [Ext] Re: Security Considerations: NS We… Miek Gieben
- [dd] Re: [Ext] Re: Security Considerations: NS We… Joe Abley
- [dd] Re: [Ext] Re: Security Considerations: NS We… Paul Hoffman
- [dd] Re: [Ext] Re: Security Considerations: NS We… Florian Obser
- [dd] Re: [Ext] Re: Security Considerations: NS We… Miek Gieben
- [dd] Re: [Ext] Re: Security Considerations: NS We… Petr Špaček
- [dd] Re: [Ext] Re: Security Considerations: NS We… Petr Špaček
- [dd] Re: Security Considerations: NS Weaker Than … Philip Homburg
- [dd] Re: [Ext] Re: Security Considerations: NS We… Joe Abley
- [dd] Re: [Ext] Re: Security Considerations: NS We… Petr Špaček
- [dd] Re: [Ext] Re: Security Considerations: NS We… Joe Abley
- [dd] Re: [Ext] Re: Security Considerations: NS We… Petr Špaček
- [dd] Re: [Ext] Re: Security Considerations: NS We… Dave Lawrence
- [dd] Re: [Ext] Re: Security Considerations: NS We… Dave Lawrence
- [dd] Re: Security Considerations: NS Weaker Than … Havard Eidnes
- [dd] Re: [Ext] Re: Security Considerations: NS We… Florian Obser
- [dd] Re: [Ext] Re: Security Considerations: NS We… Philip Homburg
- [dd] Re: Security Considerations: NS Weaker Than … Michael Richardson
- [dd] Re: Security Considerations: NS Weaker Than … Miek Gieben
- [dd] Re: [Ext] Re: Security Considerations: NS We… Joe Abley
- [dd] Re: Security Considerations: NS Weaker Than … Ralf Weber
- [dd] Re: Security Considerations: NS Weaker Than … Havard Eidnes
- [dd] Re: Security Considerations: NS Weaker Than … Dave Lawrence
- [dd] Re: [Ext] Re: Security Considerations: NS We… Philip Homburg
- [dd] Re: Security Considerations: NS Weaker Than … Joe Abley
- [dd] Re: Security Considerations: NS Weaker Than … Dave Lawrence
- [dd] Re: Security Considerations: NS Weaker Than … Joe Abley
- [dd] Re: Security Considerations: NS Weaker Than … Philip Homburg
- [dd] Re: Security Considerations: NS Weaker Than … Dave Lawrence
- [dd] Re: Security Considerations: NS Weaker Than … Dave Lawrence
- [dd] Re: Security Considerations: NS Weaker Than … Philip Homburg
- [dd] Re: Security Considerations: NS Weaker Than … Havard Eidnes
- [dd] Re: Security Considerations: NS Weaker Than … Havard Eidnes
- [dd] Re: backward compatible or not, was Security… John Levine
- [dd] Re: [Ext] Re: Security Considerations: NS We… Petr Špaček
- [dd] Re: [Ext] Re: Security Considerations: NS We… Philip Homburg
- [dd] Re: Security Considerations: NS Weaker Than … Michael Richardson
- [dd] Re: Security Considerations: NS Weaker Than … Petr Špaček
- [dd] Re: Security Considerations: NS Weaker Than … Brian Haberman
- [dd] Re: Security Considerations: NS Weaker Than … Michael Richardson
- [dd] Re: Security Considerations: NS Weaker Than … Havard Eidnes
- [dd] Re: Security Considerations: NS Weaker Than … Dave Lawrence
- [dd] Re: Security Considerations: NS Weaker Than … Philip Homburg
- [dd] Re: Security Considerations: NS Weaker Than … Brian Haberman
- [dd] Re: [Ext] Re: Security Considerations: NS We… Paul Hoffman
- [dd] Re: [Ext] Re: Security Considerations: NS We… Philip Homburg
- [dd] Re: [Ext] Re: Security Considerations: NS We… Philip Homburg
- [dd] Re: [Ext] Re: Security Considerations: NS We… Paul Hoffman
- [dd] Re: Security Considerations: NS Weaker Than … Joe Abley
- [dd] Re: [Ext] Re: Security Considerations: NS We… Michael Richardson
- [dd] Re: [Ext] Re: Security Considerations: NS We… Petr Špaček
- [dd] Re: [Ext] Re: Security Considerations: NS We… Petr Špaček
- [dd] Re: [Ext] Re: Security Considerations: NS We… Philip Homburg
- [dd] Re: [Ext] Re: Security Considerations: NS We… Miek Gieben
- [dd] Re: [Ext] Re: Security Considerations: NS We… Petr Špaček
- [dd] Re: [Ext] Re: Security Considerations: NS We… Miek Gieben
- [dd] Re: [Ext] Re: Security Considerations: NS We… Ralf Weber
- [dd] Re: [Ext] Re: Security Considerations: NS We… Petr Špaček
- [dd] Re: [Ext] Re: Security Considerations: NS We… Petr Špaček
- [dd] Re: [Ext] Re: Security Considerations: NS We… Philip Homburg
- [dd] Re: [Ext] Re: Security Considerations: NS We… Petr Špaček
- [dd] Re: [Ext] Re: Security Considerations: NS We… Petr Špaček
- [dd] Re: [Ext] Re: Security Considerations: NS We… Petr Špaček
- [dd] Re: Security Considerations: NS Weaker Than … Joe Abley
- [dd] Re: Security Considerations: NS Weaker Than … Miek Gieben
- [dd] Re: [Ext] Re: Security Considerations: NS We… Paul Hoffman
- [dd] Re: [Ext] Re: Security Considerations: NS We… Philip Homburg
- [dd] Re: [Ext] Re: Security Considerations: NS We… Paul Hoffman
- [dd] Re: [Ext] Re: Security Considerations: NS We… Philip Homburg
- [dd] Re: [Ext] Re: Security Considerations: NS We… Miek Gieben
- [dd] Re: [Ext] Re: Security Considerations: NS We… Philip Homburg
- [dd] Re: [Ext] Re: Security Considerations: NS We… Philip Homburg
- [dd] Re: [Ext] Re: Security Considerations: NS We… Philip Homburg