IETF Logo Mail Archive

Re: [dnsext] zone cut semantics

Jay Ashworth <jra@baylink.com> Mon, 21 February 2011 04:08 UTC

Return-Path: <jra@baylink.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 87D3C3A6D99 for <dnsext@core3.amsl.com>; Sun, 20 Feb 2011 20:08:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.821
X-Spam-Level:
X-Spam-Status: No, score=-1.821 tagged_above=-999 required=5 tests=[AWL=-0.087, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0Poqy2ozY2gF for <dnsext@core3.amsl.com>; Sun, 20 Feb 2011 20:08:25 -0800 (PST)
Received: from benjamin.baylink.com (rrcs-24-129-180-187.se.biz.rr.com [24.129.180.187]) by core3.amsl.com (Postfix) with ESMTP id 4ADEC3A6D52 for <dnsext@ietf.org>; Sun, 20 Feb 2011 20:08:25 -0800 (PST)
Received: from localhost (localhost.localdomain [127.0.0.1]) by benjamin.baylink.com (Postfix) with ESMTP id B687C1F0012D for <dnsext@ietf.org>; Sun, 20 Feb 2011 23:09:18 -0500 (EST)
X-Virus-Scanned: amavisd-new at benjamin.baylink.com
Received: from benjamin.baylink.com ([127.0.0.1]) by localhost (benjamin.baylink.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id esbNK4SXJ0dN for <dnsext@ietf.org>; Sun, 20 Feb 2011 23:09:18 -0500 (EST)
Received: from benjamin.baylink.com (benjamin.baylink.com [192.168.253.10]) by benjamin.baylink.com (Postfix) with ESMTP id 24E921F000F0 for <dnsext@ietf.org>; Sun, 20 Feb 2011 23:09:18 -0500 (EST)
Date: Sun, 20 Feb 2011 23:09:18 -0500
From: Jay Ashworth <jra@baylink.com>
To: dnsext@ietf.org
Message-ID: <29759628.846.1298261358059.JavaMail.root@benjamin.baylink.com>
In-Reply-To: <AANLkTinWyUEi8prNUcrdEMZVCEpYa_tDRNKAQWcykRoL@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [65.34.93.30]
X-Mailer: Zimbra 6.0.9_GA_2686 (ZimbraWebClient - FF3.0 (Linux)/6.0.9_GA_2686)
Subject: Re: [dnsext] zone cut semantics
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Feb 2011 04:08:26 -0000

[ SPECULATION AHEAD ]

----- Original Message -----
> From: "Brandon Black" <blblack@gmail.com>

> The only way the resolver knows to believe the answer from the
> .brandon name servers is based on glue it believed from the root
> server. One way or another, you cannot avoid the fact that the root
> servers control .brandon's resolution, directly or indirectly. The
> root servers make a poor example though, because they're universal.
> Let's look at example.com. vs example.org. again, assuming the root
> delegates com. and org. to different sets of nameservers.
> 
> If the org. nameservers answer www.example.org. with:
> 
> example.org. NS ns1.example.com.
> ns1.example.com. A 192.0.2.1
> 
> I thought it was part of avoiding cache poisoning, etc, that org.
> nameservers are not to be believed for glue outside of its authority,

I believe that you're not supposed to *cache* them.  But you *have* to 
believe the parent glue, as it's the only way you *have* to locate the
zone servers for the subdomain, is it not?

root -> .org -> example.org
             ^^ that right there is the referral we're talking about.

> and that the resolver should query ns1.example.com. separately. 

If you don't believe the IP addresses that .org hands you for example.org's
zone servers, where else are you going to ask?

> Or is it the view of the RFCs that ns1.example.com. is basically
> functionally a "temporary" name that ties those two response RRs
> together just to be used once to contact 192.0.2.1 for this one
> delegation and never cached, and that this doesn't need to be
> independently verified through the com. servers? I was under the
> impression this is why it matters whether example.org.'s nameserver
> glue is or isn't within org., and hence my whole point about why this
> matters for glue. An un-snarky correction on this would be
> appreciated :P

It is just a "temporary name", I suppose, and if you have an authoritative
locally cached copy of the pointer to the zone server, I suppose it might
override what you're handed... but then you wouldn't trace the whole
chain, anyway, would you?

I suspect that, orthogonal to the questions about zone cut semantics, 
exactly how the resolvers work is implementation-defined... as Apple
taught us a decade or more ago...

Cheers,
-- jra

v2.23.0 | Report a Bug | By Email