Re: [DNSOP] Delegation into the interior of a zone?

Grant Taylor <gtaylor@tnetconsulting.net> Fri, 28 December 2018 01:05 UTC

Return-Path: <gtaylor@tnetconsulting.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6C20130EC6 for <dnsop@ietfa.amsl.com>; Thu, 27 Dec 2018 17:05:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=tnetconsulting.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kKvKCDm6l2cy for <dnsop@ietfa.amsl.com>; Thu, 27 Dec 2018 17:05:12 -0800 (PST)
Received: from tncsrv06.tnetconsulting.net (tncsrv06.tnetconsulting.net [IPv6:2600:3c00:e000:1e9::8849]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 766BE130EC5 for <dnsop@ietf.org>; Thu, 27 Dec 2018 17:05:12 -0800 (PST)
Received: from Contact-TNet-Consulting-Abuse-for-assistance by tncsrv06.tnetconsulting.net (8.15.2/8.15.2/Debian-3) with ESMTPSA id wBS1594t004227 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for <dnsop@ietf.org>; Thu, 27 Dec 2018 19:05:11 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=tnetconsulting.net; s=2015; t=1545959111; bh=5fwsSXkL74IzecHEP4nA6YCo16S9mwQ+b6UTaUJUgfg=; h=Subject:To:References:From:Message-ID:Date:User-Agent: MIME-Version:In-Reply-To:Content-Type:Cc:Content-Disposition: Content-Language:Content-Transfer-Encoding:Content-Type:Date:From: In-Reply-To:Message-ID:MIME-Version:References:Reply-To: Resent-Date:Resent-From:Resent-To:Resent-Cc:Sender:Subject:To: User-Agent; b=4W/DZZG6AxwYATU8f08Wn2SVmBj+hP25IFTpCk1/1Rm3ncZcBqdsSB2sHeyzRGaD7 DzsEl725w1l3I1VJK4vTfJPgQxhhsQLZK93XI2AT2B6OKcjisKOm1P3xCDIeeqPYPG DpsOb1HgBuP5xopKF9MIm8bUAKNlWOGKzRj1skGw=
To: dnsop@ietf.org
References: <20181227192639.21372200BFBF3A@ary.qy> <5C252F32.50503@redbarn.org>
From: Grant Taylor <gtaylor@tnetconsulting.net>
Organization: TNet Consulting
Message-ID: <00082f63-1a55-2f75-403f-1f6f67e8b5e7@spamtrap.tnetconsulting.net>
Date: Thu, 27 Dec 2018 18:05:11 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0
MIME-Version: 1.0
In-Reply-To: <5C252F32.50503@redbarn.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms050504080206070901060101"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/0JQl3Kb4Qtb-Oz1d7cqdtu7F4UA>
Subject: Re: [DNSOP] Delegation into the interior of a zone?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Dec 2018 01:05:15 -0000

On 12/27/18 12:59 PM, Paul Vixie wrote:
> in RFC 2317 we do this with CNAME not NS. did the proponent explain why 
> CNAME wasn't suitable for her purposes?

Vaguely.

I personally find CNAMEs to sub-domains to be sub optimal for various 
reasons.

I have coached MANY (too many?) people through RFC 2317 over the last 18 
years.  Almost all of them have run into the following issues:

1)  RFC 2317 is in some ways too vague.  I say this because the people 
wanting to do classless in-addr.arpa delegation tend to be new, to at 
least 2317, if not DNS in general and don't understand how it works.  As 
such, RFC 2317 not specifying some details (probably done on purpose to 
be flexible) tended to make things more difficult for them.

2)  RFC 2317 uses the (forward) slash character "/" in some of the 
examples as part of sub-domain that qnames are being aliased to.  (From 
memory) elsewhere the RFC states that some DNS servers and / or clients 
might have problems with the (forward) slash character "/" and indicate 
that a different character may need to be used.

3)  RFC 2317 does not clearly stipulate that sub-domain that qnames are 
being aliased to can be any sub-domain / zone that you want.  This 
leaves people questioning if they have to do some sort of in-addr.arpa 
like reverse DNS zone or if they can make it a sub-domain of (one of) 
their main domain(s).  2317 makes some suggestions about using the 
network, separation character, CIDR prefix length.  But (from memory) 
this wasn't clearly articulated.  I also believe there were examples of 
other methods, thus adding to the confusion.

4)  Some DNS servers (MS-DNS) have problems with an 
0/16.2.0.192.in-addr.arpa.  Or at least their wizards make it seems as 
if it can't be done and leave it up to the reader to figure out how to 
do it manually.

5)  I've run into many ISPs that refuse to do 2317 but will do NS 
delegation.

6)  I've had to coach ISPs (frequently by proxy) on 2317 to try to get 
them to understand enough to decide if they will do it.  (Frequently 
they say no after they learn enough, citing "complexity".)

7)  I've had much less push back asking for IPs to simply be delegated 
using standard NS records to other DNS servers.

Aside:  I believe John was primarily question my recommendation to have 
different versions of the same zone cross delegating to each other.  But 
it's important to know that when I originally started using NS 
delegation instead of CNAME delegation I was using separate zones for 
each and every delegated IP address.  This quickly got unwieldy.  So I 
tried with the single zone, found no problems, and have never seriously 
looked back.  -  I'm always curious about pros and cons of it.  Hence my 
follow up to John's thread on the bind-users list.

I have also run afoul of RBLs that did not know what RFC 2317 Classless 
IN-ADDR.ARPA Delegation was.  Thus their scanners came across my CNAME 
per 2317 and coughed up a fur ball and black listed servers.

While working with the RBL operator (I found them to be quite 
approachable and responsive when being polite) I learned that their 
scanners would not have had any problem with the NS delegation.  -  I 
believe their specific problem was that they were expecting a PTR record 
and did not process the CNAME record at all, much less correctly.  They 
stipulated that they were already processing NS records for delegation 
and would have happily done do and found the requisite PTR.

So, I switched to the NS delegation (using discrete zones at the time) 
and moved on.  I heard from the RBL operator about six months later, 
letting me know that they had retooled a significant portion of their 
infrastructure to support 2317 and thanking me again for bringing it to 
their attention.

I personally feel like aliasing to a sub-domain is atypical of standard 
DNS delegation.  At least in the in-addr.arpa space.  Conversely, using 
an additional NS record for one more delegation is re-using the exact 
same methods that were used to get to the qname in question.

I felt like NS delegations were cleaner and simpler than CNAME delegations.

Of the people that I've helped over the years, telling them to ask their 
upstream ISP to put in an NS record (something they are more likely used 
to) and adding a 6 label zone (with the PTR in the apex) to their server 
worked out MUCH easier.  The conversations were ALWAYS shorter, less 
complex, and clearer.

> if the old domain-obscenity-checker (DoC) which came out with the 
> domain-information-groper (DiG) back in the 1980's says it's wrong, then 
> it's wrong.

Now I want to test NS delegation (both multiple zones and single zone) 
with DoC and DiG to see what they say.

> if the specifications don't cover this case, they are incomplete.

I won't say how likely (or not) that is, just that it is a statistical 
possibility.

> or at least, that's how i do things.

Fair enough.

With all do respect Paul, how you do or don't do things does not 
directly translate to if it's correct or not.  Though seeing as it's 
/you/, Paul Vixie, chances are quite good that what you do is in fact 
correct.  At least far more so than what I do.

> first i'd have to know what problem caused by CNAME in the outer zone 
> they think they are solving using NS.

I think I outlined that above.  If not, or if you still have questions, 
please reply and I'll elaborate.

In short, 2317 failed me, flat out.  (That might not be 2317's fault 
directly.  But it failed when NS delegation would not have failed the 
same test.)  I find 2317 to be a possible tool.  I also find NS 
delegation to be another tool for the same task.  I personally think NS 
delegation is simpler.  The people that I've talked to over the years 
seem to agree that NS delegation is simpler.  So, factor in Occam's 
Razor / Parsimony between the two tools and I'm going to choose NS 
delegation over CNAME delegation.  At least absent a reason that I can't 
use NS delegation.



-- 
Grant. . . .
unix || die