IETF Logo Mail Archive

Re: [DNSOP] DNS Delegation Requirements

"Darcy Kevin (FCA)" <kevin.darcy@fcagroup.com> Thu, 17 March 2016 22:14 UTC

Return-Path: <kevin.darcy@fcagroup.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEB2912D8CA for <dnsop@ietfa.amsl.com>; Thu, 17 Mar 2016 15:14:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XsQidoUnipMd for <dnsop@ietfa.amsl.com>; Thu, 17 Mar 2016 15:14:10 -0700 (PDT)
Received: from shbmap08.extra.chrysler.com (shbmap08.out.extra.chrysler.com [129.9.75.106]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F0B4812D597 for <dnsop@ietf.org>; Thu, 17 Mar 2016 15:14:08 -0700 (PDT)
Received: from odbmap09.oddc.chrysler.com (Unknown_Domain [151.171.137.34]) by shbmap08.extra.chrysler.com (Symantec Messaging Gateway) with SMTP id 31.FC.18392.F2C2BE65; Thu, 17 Mar 2016 18:14:07 -0400 (EDT)
X-AuditID: 81094b68-f79846d0000047d8-f4-56eb2c2f56fd
Received: from MXPA1CHRW.fgremc.it (Unknown_Domain [151.171.20.17]) by odbmap09.oddc.chrysler.com (Symantec Messaging Gateway) with SMTP id DE.E8.08139.F2C2BE65; Thu, 17 Mar 2016 18:14:07 -0400 (EDT)
Received: from mxph4chrw.fgremc.it (151.171.20.48) by MXPA1CHRW.fgremc.it (151.171.20.17) with Microsoft SMTP Server (TLS) id 15.0.1156.6; Thu, 17 Mar 2016 18:14:07 -0400
Received: from mxph4chrw.fgremc.it (151.171.20.48) by mxph4chrw.fgremc.it (151.171.20.48) with Microsoft SMTP Server (TLS) id 15.0.1156.6; Thu, 17 Mar 2016 18:14:06 -0400
Received: from mxph4chrw.fgremc.it ([fe80::cc0c:cb4f:1b3f:2701]) by mxph4chrw.fgremc.it ([fe80::cc0c:cb4f:1b3f:2701%18]) with mapi id 15.00.1156.000; Thu, 17 Mar 2016 18:14:06 -0400
From: "Darcy Kevin (FCA)" <kevin.darcy@fcagroup.com>
To: dnsop <dnsop@ietf.org>
Thread-Topic: [DNSOP] DNS Delegation Requirements
Thread-Index: AQHRgJZkBleWG/wL/0+FFxpalO9MqJ9eLbew
Date: Thu, 17 Mar 2016 22:14:06 +0000
Message-ID: <f689c060d98549628d07a64c7fa34c40@mxph4chrw.fgremc.it>
References: <3A6EF5A0-928C-4F10-BD68-265DAE87F9A8@kirei.se> <20160317164524.59a212a9@localhost>
In-Reply-To: <20160317164524.59a212a9@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [151.171.20.209]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrKIsWRmVeSWpSXmKPExsUyfXWnkq6+zuswg09vJC3uvrnM4sDosWTJ T6YAxigum5TUnMyy1CJ9uwSujM+tHxgLPstUTL/fz9bAOE+8i5GTQ0LARKJ/7nQWCFtM4sK9 9WxdjFwcQgKXGCV+T9vJClP0fcZ+qMRJRom7b+cwQzjrGCWmPHvMCudcPjINytnJKHFp8w0m kH42oP6FV+4yg9giAlISz2Y9AlsoLGAgsf7mZTaIuKHEq7WvoWwjiVUHuxlBbBYBVYkHH7+B 2bwCThLXp/4GmyMkkCixYNUnIJuDgxNoTtsksFZGoB++n1oDtpZZQFzi1pP5TBAvCEgs2XOe GcIWlXj5+B/UawYSW5fug/pfSeJC72Z2iF49iRtTp7BB2NoSyxa+ZoY4QVDi5MwnLBAnqEr0 r33JDvKvhMBXdonXjw6xTmCUmYVk9ywks2YhmTULyawFjCyrGKWLM5JyEwsMLPRSK0qKEvWS M4oqi3NSi/SS83M3MQLjuZHTO2MH45ytlocYBTgYlXh4Xwq9DhNiTSwrrsw9xCjNwaIkzmvB CRQSSE8sSc1OTS1ILYovKs1JLT7EyMTBKdXA2H5RX32tXE2Dp3tbTdKEi49v8y6XtSiovnj2 5P11fFsvis3ok1igL1aaW3DIzMZh13pXg1/3ezwMtmQvSfrp5HR3arG19Z/Y+t/LuPNj79m3 e56vUkickJ/4t4M3q0zc6NqlHT9rlk4+8V2uZlpq/+kfFuuce7mtOd9KcR76/XKX/XuF0I6n SizFGYmGWsxFxYkAvLt1CcgCAAA=
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrAKsWRmVeSWpSXmKPExsUyfbWIoK6+zuswg81zeCzuvrnM4sDosWTJ T6YAxigum5TUnMyy1CJ9uwSujM+tHxgLPstUTL/fz9bAOE+8i5GTQ0LAROL7jP1sELaYxIV7 64FsLg4hgZOMEnffzmGGcNYxSkx59pgVzrl8ZBqUs5NR4tLmG0wg/WxAsxZeucsMYosISEk8 m/WIBcQWFjCQWH/zMhtE3FDi1drXULaRxKqD3YwgNouAqsSDj9/AbF4BJ4nrU3+DzRESSJRY sOoTkM3BwQk0p20SWCsj0KnfT60BW8ssIC5x68l8JogXBCSW7DnPDGGLSrx8/I8VwjaQ2Lp0 HwuErSRxoXczO0SvnsSNqVPYIGxtiWULXzNDnCAocXLmExaIE1Ql+te+ZJ/AKDkLybpZSNpn IWmfhaR9ASPLKkap/JSk3MQCA0u9/JSUZL3kjKLK4pzUIr3k/NxNjOAI7FTcwdi4yPIQowAH oxIPr7bk6zAh1sSy4srcQ4ySHExKoryZ0kAhvqT8lMqMxOKM+KLSnNTiQ4wSHMxKIrwaWkA5 3pTEyqrUonyYlDQHi5I4r0qBQ6CQQHpiSWp2ampBahFMVoaDQ0mC9zJIo2BRanpqRVpmTglC momDE2Q4D9BwA22Q4cUFibnFmekQ+VOMklLivGwgCQGQREZpHlzvK0ZxoBeEeVVAsjzAZArX 9QpoIBPQwGNxr0AGliQipKQaGDsSt2ZPu7/m+rfYg0sqMvPvtTsIx5ry8d6Ia1RMWSDNPWXD s6eTqpLrNS7yRoptNFz+38nved3Gxc3p0259vtQzb6Nr5Zn8TVE+BldFVfZFn7Q5dzD70veT j3zCFx4LX2/sEGWlF7n9mkKdRGgq54pA+ZaYStdvwd3rc2NOuOQEVHQtc/98XomlOCPRUIu5 qDgRAPQqbWZjAwAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/7GCa2tnCbjuacAjjaU5ajaz-7kY>
Subject: Re: [DNSOP] DNS Delegation Requirements
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Mar 2016 22:14:11 -0000

With respect to

"ptr names of NS addresses should match the associated A/AAAA names"

you might want to 
a) avoid or modify the term "ptr names", since there is nothing about the PTR record type which *restricts* it to the reverse-mapping function, and
b) disclaim the recommendation as only a soft one, since it is common for a single authoritative nameserver to be delegated different zones via a diversity of names, yet we don't want to encourage anyone to populate a single reverse-mapping entry with *multiple* PTR RRs, since this doesn't produce useful results and thus effectively only wastes space in DNS databases and response packets. Alternatively, if we want to recommend that the mapping of any given NS name to a particular A/AAAA address must be *unique*, then that should be spelled out explicitly, irrespective of any recommendations concerning reverse mappings.

													- Kevin

-----Original Message-----
From: DNSOP [mailto:dnsop-bounces@ietf.org] On Behalf Of John Kristoff
Sent: Thursday, March 17, 2016 5:45 PM
To: Jakob Schlyter
Cc: dnsop; Patrik Wallström
Subject: Re: [DNSOP] DNS Delegation Requirements

On Mon, 8 Feb 2016 09:57:15 +0100
Jakob Schlyter <jakob@kirei.se> wrote:

> At this point, we're seeking more public comments - on this mailing 
> list (unless the chairs disapproves), on the our issue tracker [4] or 
> via email to the authors.

Hello Jakob and Patrik.  Some comments as requested.

The introduction lists 8 areas of interest.  All, except "7. Name Server" have their own section in the table of contents.  Oversight?

This sentence is awfully confusing:

  Many requirements in this document deal with the properties of a
  nameserver that is used as part of a delegation, therefore the
  wording mentioning the use of a name server as part of this is
  omitted.

First there is nameserver, then name server as two words.  Which is it?  More importantly, I'm not quite sure what is being said here.  Can you perhaps rewrite, elaborate or provide an example?

You may be interested to know that I recently submitted a draft on DNS over TCP operational requirements.  If that work progresses as I hope, it might help with section 4.2 of your draft.

The consistency requirements might be too strict, since it applies all zone data.  While reasonable people might fret about inconsistency when things like "views", "geo-location", client-subnet and so on are in use, it might be best to limit consistency requirements to the infrastructure records (e.g. SOA, NS).

Additionally, I could imagine an argument being made that all names need not respond with the same NS RRset.  While generally this delegation or authority list inconsistency is often indication of a problem, it is feasible that it might be intentional and may even provide some advantage.  The so-called "fast flux" invention by the miscreants taught us that.

Suggesting that name servers be the same AS is often unnecessary.  More important is diversity in the route announcements covering the name server addresses.  Many might not even be able to easily satisfy this requirement.

A few additional topics you may wish to consider:

  * delegated name server should be authoritative only (no rd service)
  * ptr names of NS addresses should match the associated A/AAAA names
  * name server should run NTP or equivalent so time is accurate
  * DNS TTLs of the NS and A/AAAA name servers MUST be consistent

John

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email