IETF Logo Mail Archive

Re: {Blocked Content} I-D ACTION:draft-ietf-dnsext-rfc2672bis-dname-07.txt

Wouter Wijngaards <wouter@NLnetLabs.nl> Fri, 04 January 2008 14:58 UTC

Return-path: <owner-namedroppers@ops.ietf.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1JAnzr-0004Ar-Eo; Fri, 04 Jan 2008 09:58:07 -0500
Received: from psg.com ([147.28.0.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1JAnzq-0004lI-NM; Fri, 04 Jan 2008 09:58:07 -0500
Received: from majordom by psg.com with local (Exim 4.68 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1JAnuK-000K4V-ON for namedroppers-data@psg.com; Fri, 04 Jan 2008 14:52:24 +0000
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on psg.com
X-Spam-Level:
X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,RDNS_NONE autolearn=no version=3.2.3
Received: from [213.154.224.1] (helo=open.nlnetlabs.nl) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.68 (FreeBSD)) (envelope-from <wouter@nlnetlabs.nl>) id 1JAntn-000Jzh-Tn for namedroppers@ops.ietf.org; Fri, 04 Jan 2008 14:52:08 +0000
Received: from gary.nlnetlabs.nl (gary.nlnetlabs.nl [IPv6:2001:7b8:206:1:216:76ff:feb8:1853]) by open.nlnetlabs.nl (8.14.1/8.14.1) with ESMTP id m04EpJi5075504; Fri, 4 Jan 2008 15:51:19 +0100 (CET) (envelope-from wouter@nlnetlabs.nl)
Message-ID: <477E47E7.9020205@nlnetlabs.nl>
Date: Fri, 04 Jan 2008 15:51:19 +0100
From: Wouter Wijngaards <wouter@NLnetLabs.nl>
User-Agent: Thunderbird 2.0.0.9 (X11/20071115)
MIME-Version: 1.0
To: Michael StJohns <mstjohns@comcast.net>
CC: Edward Lewis <Ed.Lewis@neustar.biz>, Ólafur Guðm undsson /DNSEXT chair <ogud@ogud.com>, Scott Rose <scottr@nist.gov>, namedroppers@ops.ietf.org
Subject: Re: {Blocked Content} I-D ACTION:draft-ietf-dnsext-rfc2672bis-dname-07.txt
References: <E1J4iqE-0005jc-Ge@stiedprstage1.ietf.org> <476BBAA4.8010703@nist.gov> <200712211433.lBLEXkIZ034297@ogud.com> <a06240802c39ebfd12705@[192.168.1.104]> <E1J9P2K-000GkC-Vk@psg.com>
In-Reply-To: <E1J9P2K-000GkC-Vk@psg.com>
X-Enigmail-Version: 0.95.5
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::53]); Fri, 04 Jan 2008 15:51:20 +0100 (CET)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-id: DNSEXT discussion <namedroppers.ops.ietf.org>
X-Spam-Score: -4.0 (----)
X-Scan-Signature: 52f7a77164458f8c7b36b66787c853da

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael StJohns wrote:
>> http://www.ietf.org/internet-drafts/draft-ietf-dnsext-rfc2672bis-dname-07.txt
>>
>> # 2.3.  DNAME Apex not Redirected itself
>> ...
>> #  This means that a DNAME RR is not allowed at the same domain name as
>> #  NS records unless there is also a SOA record present.  DNAME RRs are
>> #  not allowed at the parent side of a delegation point but are allowed
>> #  at a zone apex.
>>
>> The first sentence makes no sense to me.  I would suggest omitting it as the valid point is made in the second sentence.  (That is - if you are a cache and happen to have all of a domain name's information stored you will always have an SOA where there is an NS.  From that perspective a restriction saying "it can't have NS unless there's an SOA" has got to be defined in the context of a zone file.)
> 
> Agreed.  AND... this really needs to be defined in terms of server and resolver behavior rather than what can and can't be in the zone file. People will screw up and bad things will happen.  How - exactly - does this record work in the presence of "bad data"?    E.g.  what happens at a cache if it gets both a DNAME and NS records for a specific name?  Does it keep the DNAME records and discard the NS records? Vice versa?  Crash in disgust?
> 
> In 2.4 - "refuse to load" should probably be "refuse to serve" data below a DNAME.
> 
> What does a recursive resolver do if it gets conflicting data (e.g. data below a DNAME followed later by a DNAME and vice versa?)
> 
> There are other places in the text which have this problem as well.
> 

Hi Michael,

I agree, such a statement should have been made in the context of a zone
file. Thanks for your comments.

However I disagree about having server and resolver behaviour terms and
'refuse to serve', see below about bad data for a solution I propose.

Having DNAME and NS records for one domain name is perfectly reasonable.
 The NS records define the server authoritative for that one domain
name, and the DNAME redirects names below that one domain name.

An example of bad data is when data (say an AAAA record at
www.example.com) exists below a DNAME record (at example.com).

How will things work with bad data. A server must refuse to load a zone
with bad data. Due to delays conflicts may appear for resolvers. A
resolver must select one side of the conflict. Due to data falling out
of the cache, a resolver may change sides in the conflict. Until TTLs
expire (due to the zone file being correct, since it managed to load
without refusal), then sanity prevails again.

Since a resolver can change sides in the conflict situation anyway, it
can just as well be allowed to change sides per-query.

Best regards,
   Wouter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHfkfnkDLqNwOhpPgRAo34AJ9jg8h8j4/WSd2D1P5BfqS+ESXNOwCeMl0N
U+7RVSDCoF9bjduf3nQV9FY=
=+cLY
-----END PGP SIGNATURE-----

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email