Re: [DNSOP] I-D Action: draft-ietf-dnsop-glue-is-not-optional-02.txt

John R Levine <johnl@taugh.com> Wed, 28 July 2021 16:20 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6020D3A168D for <dnsop@ietfa.amsl.com>; Wed, 28 Jul 2021 09:20:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b=VMgk26KG; dkim=pass (2048-bit key) header.d=taugh.com header.b=aBbsgVXB
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bq-EBL32AP4j for <dnsop@ietfa.amsl.com>; Wed, 28 Jul 2021 09:20:54 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D80ED3A168F for <dnsop@ietf.org>; Wed, 28 Jul 2021 09:20:19 -0700 (PDT)
Received: (qmail 33120 invoked from network); 28 Jul 2021 16:20:17 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=815b.610183c1.k2107; bh=IcOY7ZfpdFBmKrEUyItBj3sJcQ+lzTUSlYF8DdLm8Zg=; b=VMgk26KG9dyMzOAMXi7aA+WUd7z1HpPyB/jx5Btxjfqs51Y+Kkret969AxO3Fq/ZCQva8H2Q6nqvpzMPea1/oA4U+K9Zm2xMj1fLXA/+6PZfgMyohc0ROQ01VkTlX3NaOZcBK2QlQIb9KnhynjOe/4jKiJxo+OMbV2ccyuaERIYBM7XC5NYdAX6bZwPqYF5KJ3SMkikUw7jfKIrpA3RX3fyLQgXNzpaRfXzTN+3O6QSRVzLrma1kEP43XlwqNZS44b81L9mPr4yFvFjIo6Coca0EZuYpYgPTMbk0WBP2SdcrVkEZVAWM+E8rYzZQy6IaiYaNcvDJlQp8fMJnAyQtlg==
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=815b.610183c1.k2107; bh=IcOY7ZfpdFBmKrEUyItBj3sJcQ+lzTUSlYF8DdLm8Zg=; b=aBbsgVXBRK57oXUe3fERax91mSMboN2msigX6d80FmkaCgs6OgMgNy1l/4+MAHJ4hCwRZ7BsN6Mc0maHz5JIzG1aH3E+6l0jNh2wYIcH4ukuZSjuR547C2J2nFiYxyEgiLrFbDmavyaE01FOSzgVMN53vmj4uGHx68ianKI1aR/Yodfe5ZcCTDSfUMhTZI4bNTR61NGS01YRH9I1zj5dhR26Egq9nyjb/a1GTj4Vi4x2HfxBZbl5ixSclxEOFK1nvVVMHwKeCFPC0r5dStFgpanNymmulSjTiSTZnuA7XNFNyvfvbhk7++JzrVV02ikIiWH38jBSQ2McaDROHtKT8w==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 28 Jul 2021 16:20:17 -0000
Received: by ary.qy (Postfix, from userid 501) id DBCB8253FB37; Wed, 28 Jul 2021 12:20:15 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by ary.qy (Postfix) with ESMTP id 8983B253FB19; Wed, 28 Jul 2021 12:20:15 -0400 (EDT)
Date: 28 Jul 2021 12:20:15 -0400
Message-ID: <73667455-8940-93ff-7c80-bfbac56ab0d0@taugh.com>
From: "John R Levine" <johnl@taugh.com>
To: "Shumon Huque" <shuque@gmail.com>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
X-X-Sender: johnl@ary.qy
In-Reply-To: <CAHPuVdWDVmq1=B1oqzzx9cCc6E0xEAtMDXLf=g_GdQEW+Mi8=Q@mail.gmail.com>
References: <CA+9_gVstayRZufjKbi3TgKxnsg-Jt52y1Z3Znnmocyf_iSdoiQ@mail.gmail.com> <20210727201504.2939B25365A4@ary.qy> <CAHPuVdX4jwn=U9ONkuGd_LU0cgcGVyNpy7=aHnjqtX8MHTj2tg@mail.gmail.com> <372D08DF-8FD5-48EF-9D1F-261F8E185DFC@gmail.com> <CAHPuVdWDVmq1=B1oqzzx9cCc6E0xEAtMDXLf=g_GdQEW+Mi8=Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/6jnYgAwUtGU1PigUyToEKkVztxA>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-glue-is-not-optional-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Jul 2021 16:20:59 -0000

On Wed, 28 Jul 2021, Shumon Huque wrote:
> Sibling glue was already covered in RFC 1034 (even though there was no term
> for it). ...

Sure, but we've been cleaning up the ambiguities and errors in 1034 for 30 
years.  A straightforward reading of that paragraph also gives you the 
Kaminsky attack.

The simplest way to defend agaist cache poisoning is to accept only 
in-bailiwick glue which you can do with a string comparison.  If you're 
going to accept sibling glue, now you have to look up the tree and see if 
both names have the same parent.  That's not all that hard, but it's a big 
step up in implementation complexity from the string comparison.

How about this?

  foo.test NS abc.def.bar.test
  abc.def.bar.test A 10.11.12.13

but there's a zone cut at def.bar.test.  Is a nephew* still a sibling? 
What if that zone cut is in the PSL?  I have no idea and I don't think I 
want to find out.

"MUST" in RFC-ese means you have to do something in order to interoperate. 
I think we all agree that the DNS will operate fine without sibling glue, 
other than NS loops which I personally don't care about. That makes it at 
most a MAY, and I agree with Geoff's reasons to take it out completely.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

* - I don't know of an English word that means niece-or-nephew