IETF Logo Mail Archive

Re: Additional filtering of responses

Paul Vixie <vixie@isc.org> Thu, 07 August 2008 15:31 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CA10F3A6ABD; Thu, 7 Aug 2008 08:31:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.268
X-Spam-Level:
X-Spam-Status: No, score=-0.268 tagged_above=-999 required=5 tests=[AWL=2.330, BAYES_00=-2.599, WHOIS_NETSOLPR=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mkJSSy+H6X6Z; Thu, 7 Aug 2008 08:31:18 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 8C10C3A6992; Thu, 7 Aug 2008 08:31:18 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KR7KM-0001ZP-E2 for namedroppers-data@psg.com; Thu, 07 Aug 2008 15:22:58 +0000
Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <vixie@vix.com>) id 1KR7KE-0001YM-Bm for namedroppers@ops.ietf.org; Thu, 07 Aug 2008 15:22:53 +0000
Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id 4B463A66B2; Thu, 7 Aug 2008 15:22:32 +0000 (UTC) (envelope-from vixie@nsa.vix.com)
From: Paul Vixie <vixie@isc.org>
To: Wouter Wijngaards <wouter@NLnetLabs.nl>
cc: Namedroppers <namedroppers@ops.ietf.org>
In-Reply-To: Your message of "Thu, 07 Aug 2008 13:00:51 +0200." <489AD5E3.20708@nlnetlabs.nl>
References: <489AD5E3.20708@nlnetlabs.nl>
X-Mailer: MH-E 8.0.3; nil; GNU Emacs 22.2.1
Date: Thu, 07 Aug 2008 15:22:32 +0000
Message-ID: <45759.1218122552@nsa.vix.com>
MIME-Version: 1.0
X-Vix-MailScanner-Information: Please contact the ISP for more information
X-MailScanner-ID: 4B463A66B2.CB480
X-Vix-MailScanner: Found to be clean
X-Vix-MailScanner-From: vixie@vix.com
Subject: Re: Additional filtering of responses
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

> 1) Stuff in the additional section. RFC2181. Understand why Masataka and
> Paul think it is very important, and worth bickering over. Just mentioning.

first, we should not send, or if we receive, we should not cache or forward,
anything in the additional section that could be found using a new query.
this rules out all records except those referred to by NS RRs in an authority
or answer section, whose target names are at-or-below the NS RR owner name.

second, use these "glue" records only when trying to reach these nameservers,
or when answering questions or sending referrals about these nameservers.  do
not use them in answer sections, nor as additional data for MX or SRV or any
other purpose.  if needed for such "other purpose", go fetch them normally.

the small technical differences that masataka and i were bickering over have
to do with implicit antialiasing, and circular nonreachability.  i'll explain
for the gallery, even though i do not think that masataka will hear me.  if
the following responses are heard:

	authority	foo.org		NS     ns1.a.foo.org
	additional	ns1.a.foo.org	A      10.0.0.51

	authority	a.foo.org	NS     ns1.a.foo.org
	additional	ns1.a.foo.org	A      10.0.0.71

then there is a configuration error which crosses zone boundaries and is not
subject to normally operational fixits.  since both glue records are necessary
for reaching the nameserver, an RDNS has a difficult decision to make.
masataka recommends one choice, i recommend the other.  in masataka's design
the RDNS would contextualize the values of ns1.a.foo.org and use each one at
different times, depending on which NS RR was being followed.  in my design
there would never be more than one value for the glue in the rdns cache, and
it would be the deepest one (so, the one matching the most labels with the
zone whose delegation it was given for.)

then there's circular nonreachability.  in the following configuration:

	foo.org		NS	ns1.bar.net

	bar.net		NS	ns2.foo.org

my design says that neither zone is reachable, since no glue given by the
foo.org or .org servers for the ns1.bar.net nameserver would be believed,
and no glue given by the bar.net or .net servers for ns1.foo.org would be
believed.  in masataka's design, this glue can be sent, and heard, and then
used contextually, and both zones would be reachable.

these issues are now moot, since the baliwick rules of glue transmission
and reception are now enshrined in most operating nameservers as well as
several RFCs, and are "house rules" in terms of the DNSSEC design, which
contemplates baliwick issues more deeply than pre-SEC DNS did.  we can go
on bickering, and we could reopen these settled standards questions, but
we should stop treating them as open or unsettled questions.

i remain troubled and saddened by my inability to communicate effectively
with masataka, he is a brilliant and passionate dns engineer who among other
things came up with a better design for Secure DNS than any of the ones we
have standardized, and anyone who studies his work can learn a lot.  however,
our far flung rough and tumble community demands proper decorum and not just
technical excellence, and for my own self esteem i have to draw the line
someplace.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email