Re: [DNSOP] Definitions of foo-centric

Edward Lewis <> Wed, 25 February 2015 15:38 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id CFDF11A8731 for <>; Wed, 25 Feb 2015 07:38:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.209
X-Spam-Status: No, score=-4.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bTvqU9V2my47 for <>; Wed, 25 Feb 2015 07:38:41 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 421EE1A1B0E for <>; Wed, 25 Feb 2015 07:38:41 -0800 (PST)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.847.32; Wed, 25 Feb 2015 07:38:39 -0800
Received: from ([]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([]) with mapi id 15.00.0847.030; Wed, 25 Feb 2015 07:38:39 -0800
From: Edward Lewis <>
To: "" <>
Thread-Topic: [DNSOP] Definitions of foo-centric
Thread-Index: AQHQUNlPtglP9kT6PEG6UKGl1dxh3Z0Bm3CAgAABcwCAAE9GAP//xqqA
Date: Wed, 25 Feb 2015 15:38:39 +0000
Message-ID: <>
References: <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
user-agent: Microsoft-MacOutlook/
x-originating-ip: []
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="B_3507705515_13567508"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [DNSOP] Definitions of foo-centric
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 25 Feb 2015 15:38:49 -0000

On 2/25/15, 9:03, "Havard Eidnes" <> wrote:

>Firstly, isn't this "child-centric resolver" / "parent-centric
>resolver" simply an euphemism papering over the more distinct
>"correctly" and "wrongly" implemented resolver?

That’s my thought exactly.  (But that doesn’t mean the terms needn’t be
given definitions.)

>A correctly
>implemented resolver implements the DNS authority model, and to do
>that requires that the resolver replaces non-authoritative cached data
>with more authoritative data whenever it is obtained.

To put a sharper point on this, this is documented as “trustworthiness” in
“Clarifications to the DNS Specification” [RFC 2181] inside section 5.4.1
on “Ranking Data."

I’ve seen a case of a resolver that favored the parent NS set over a child
NS set (and glue), which led to a cache poisoning event.  A delegation
that was transferred forgot to remove the glue records in the TLD, an
apparently disgruntled employee aware of this left the company, registered
a new domain that made use of the glue record.  (I’m omitting details to
make this quick.)  The net result is that the caches following this model
quickly favored the stale glue over the fresh authoritative answer,
victimizing the registrant.

Nevertheless, giving the practice a name will make it easier to explain to
someone why it’s a bad idea.

>  The perhaps
>most prominent example of non-authoritative data is the copy of the NS
>RRset from the child zone which exists in the parent zone.

And/or the glue.

>>Phantom domain: ...
>Again, I'd simply call a resolver allowing this situation to persist
>to be "wrong/buggy".

In operations, you have to deal with the bad a lot - in fact, by the very
nature of the bad being bad, you deal more with the bad than the good.
(The good is hidden under automation.)  Giving names to the bad is very
helpful for that reason.  (Root cause voice call recordings, staff
turnover, these are places where common terminology is helpful regardless
whether the term describes something good or something bad.)