IETF Logo Mail Archive

Re: [dnsext] Failure to add glue MUST cause TC to be set.

"George Barwood" <george.barwood@blueyonder.co.uk> Tue, 22 February 2011 08:47 UTC

Return-Path: <george.barwood@blueyonder.co.uk>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EBD5A3A677E for <dnsext@core3.amsl.com>; Tue, 22 Feb 2011 00:47:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.045
X-Spam-Level: *
X-Spam-Status: No, score=1.045 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, HELO_EQ_BLUEYON=1.4, J_CHICKENPOX_55=0.6, MIME_BASE64_BLANKS=0.041, MIME_BASE64_TEXT=1.753]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wfe+cqEDqH1U for <dnsext@core3.amsl.com>; Tue, 22 Feb 2011 00:47:09 -0800 (PST)
Received: from smtp-out4.blueyonder.co.uk (smtp-out4.blueyonder.co.uk [195.188.213.7]) by core3.amsl.com (Postfix) with ESMTP id 750123A676A for <dnsext@ietf.org>; Tue, 22 Feb 2011 00:47:09 -0800 (PST)
Received: from [172.23.170.141] (helo=anti-virus02-08) by smtp-out4.blueyonder.co.uk with smtp (Exim 4.52) id 1PrnuR-000782-Sw; Tue, 22 Feb 2011 08:47:51 +0000
Received: from [92.238.99.235] (helo=GeorgeLaptop) by asmtp-out3.blueyonder.co.uk with smtp (Exim 4.72) (envelope-from <george.barwood@blueyonder.co.uk>) id 1PrnuG-0005pu-7i; Tue, 22 Feb 2011 08:47:40 +0000
Message-ID: <16828D1CC85F4F438BFE576A48828FBB@local>
From: George Barwood <george.barwood@blueyonder.co.uk>
To: Mark Andrews <marka@isc.org>
References: <20110219210716.72943A5602B@drugs.dv.isc.org><A02552CBBF2B42F5BA91D6E4EC23F31D@local> <20110220203156.C1F83A6526F@drugs.dv.isc.org><3764325DE7FA4B2F9B77387EBD15EAF8@local> <20110220210758.81B93A65431@drugs.dv.isc.org><3D9B2A0D15F84DC6822FCF0FC6F8F214@local> <20110220225811.1F68CA65BFC@drugs.dv.isc.org> <4DFFA0E09D824AEC92EA89AFFB9F2120@local> <20110221220645.D59D1A87710@drugs.dv.isc.org>
Date: Tue, 22 Feb 2011 08:48:06 -0000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: base64
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5994
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Failure to add glue MUST cause TC to be set.
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Feb 2011 08:47:11 -0000

----- Original Message ----- 
From: "Mark Andrews" <marka@isc.org>
To: "George Barwood" <george.barwood@blueyonder.co.uk>
Cc: <dnsext@ietf.org>
Sent: Monday, February 21, 2011 10:06 PM
Subject: Re: [dnsext] Failure to add glue MUST cause TC to be set.


> 
> In message <4DFFA0E09D824AEC92EA89AFFB9F2120@local>, "George Barwood" writes:
>> 
>> ----- Original Message ----- 
>> From: "Mark Andrews" <marka@isc.org>
>> To: "George Barwood" <george.barwood@blueyonder.co.uk>
>> Cc: <dnsext@ietf.org>
>> Sent: Sunday, February 20, 2011 10:58 PM
>> Subject: Re: [dnsext] Failure to add glue MUST cause TC to be set.
>> 
>> 
>> > 
>> > In message <3D9B2A0D15F84DC6822FCF0FC6F8F214@local>, "George Barwood" writes:
>> >> 
>> >> ----- Original Message ----- 
>> >> From: "Mark Andrews" <marka@isc.org>
>> >> To: "George Barwood" <george.barwood@blueyonder.co.uk>
>> >> Cc: <dnsext@ietf.org>
>> >> Sent: Sunday, February 20, 2011 9:07 PM
>> >> Subject: Re: [dnsext] Failure to add glue MUST cause TC to be set.
>> >> 
>> >> 
>> >> > 
>> >> > In message <3764325DE7FA4B2F9B77387EBD15EAF8@local>, "George Barwood" writes:
>> >> >> >> ----- Original Message ----- 
>> >> >> >> From: "Mark Andrews" <marka@isc.org>
>> >> >> >> To: <dnsext@ietf.org>
>> >> >> >> Sent: Saturday, February 19, 2011 9:07 PM
>> >> >> >> Subject: [dnsext] Failure to add glue MUST cause TC to be set.
>> >> >> >> 
>> >> >> >> > Below is a example of why TC should be set when glue cannot be added
>> >> >> >> > to the answer.
>> >> >> >> > 
>> >> >> >> > [..]
>> >> >> >> 
>> >> >> >> Agreed, but where exactly should the line be drawn?
>> >> >> > 
>> >> >> > What line?  If the glue doesn't fit then the referral is not complete.
>> >> >> > 
>> >> >> >> If omitting any glue leads to truncation, then many (non-DNSSEC) referrals
>> >> >> >> over UDP will have TC set. e.g. 
>> >> >> >> 
>> >> >> >> dig foo.com @a.root-servers.net
>> >> >> > 
>> >> >> > Yes.
>> >> >> > 
>> >> >> >> Is that sensible?
>> >> >> > 
>> >> >> > Yes.
>> >> >> > 
>> >> >> >> How much glue is enough?
>> >> >> > 
>> >> >> > Depends on the delegation.  The only safe answer is all you have.
>> >> >> 
>> >> >> One suggestion that might work is that glue which matchs QNAME+QTYPE MUST
>> >> >> be included, but other glue can be omitted.
>> >> > 
>> >> > This does not work in all cases where glue needs to be returned.
>> >> > 
>> >> > Zone A.net is served by servers in B.net.  Zone B.net is served by
>> >> > servers in A.net.
>> >> 
>> >> So something like
>> >> 
>> >> 
>> >> But nothing will work in that case - if you make a recursive loop like this,
>> >> then there is no glue ( the name server names are not "below" the cut ) and
>> >> you have had it regardless. 
>> > 
>> > Glue records are records in the parent zone to enable you to reach
>> > the servers for the child zone.  RFC 1034 gave a obvious example
>> > of such records.  There are less obvious examples.
>> > 
>> >> That's a mis-configuration, not a counter-example.
>> > 
>> > No. It is not a mis-configuration.
>> 
>> RFC1034 says
>> 
>>   To fix this problem, a zone contains "glue" RRs which are not
>>   part of the authoritative data, and are address RRs for the servers.
>>   These RRs are only necessary if the name server's name is "below" the
>>   cut, and are only used as part of a referral response.
>> 
>> The second sentence rules out the mutually recursive case ( very sensibly ).
> 
> No.  It just means that they failed to fully analyse the problem.

That's possible. Or they may have fully understood and chosen this form of words
to rule out the mutually recursive case in a subtle way.

I think the other possibility is they were viewing it from an operators point of view.
They were saying "this is all you need". RFC1033 has similar language.

Regardless, the RFC does not deal with this case, so it's best to avoid it.
My resolver rejects all glue that is not in-zone, and in several years of use I have not seen a problem,
so it seems that this technique is not in widespread use.

> 
> If they wanted to prevent the mutually recursive case there would
> have been words to outlaw it or warn of it.  RFC 1034 contains lots
> of errors this is just another one.

I don't think you can call it an error. It is an ambiguity / omission.

Anyway, regardless, to come back to the original suggestion on when glue is essential.
If you want to support this extended form of glue, then such glue records must be included
in a referral, with TC set if there is no room. "Conventional" (in-zone) glue records can
be omitted (to avoid truncation) unless they match QNAME/QTYPE.
This rule avoids TCP fallback in common non-DNSSEC cases.

George
 
> Mark
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email