[DNSOP] draft-ietf-dnsop-zoneversion doesn't handle this situation

"John R. Levine" <johnl@iecc.com> Mon, 17 June 2024 18:54 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB4FBC151549 for <dnsop@ietfa.amsl.com>; Mon, 17 Jun 2024 11:54:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CEOuVUjQA_2p for <dnsop@ietfa.amsl.com>; Mon, 17 Jun 2024 11:54:51 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9730C151532 for <dnsop@ietf.org>; Mon, 17 Jun 2024 11:54:50 -0700 (PDT)
Received: (qmail 97612 invoked from network); 17 Jun 2024 18:54:48 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type; s=17d4a66708678.k2406; bh=QdEKILeOffkYlC6v2bZqC8ZDdRxcJcSfn7fCYfXhyV4=; b=ZINvIu453QExIRc3CtG0PbHHWMknlkd29HTCnhZ8NLGWfvUC0jLvDpem4vh5umD0S0Tubs+SedsKh0FtY1wxVtf13Vb+oKs0eaYOWy4cEYyYgZirfqoq1h9PVP9Pp6HG765rGL/bs43UsVtqI789D7xRWSfyJMffiNlKD3f5kdvrWT6rsSOsn/AJJExrCEH0OE/Lybh7S9DwXw6hDrX8FbU5ilHJb85ouV7StpG/q54CGP4r5md6Npcqsqfzd/agfGWMeVvWZto4Zt0PMWEX1/lwLRhdLk2cqK85tJ+1ztPMC6O8+x0svbhKxrGVVt0gDg6zx0pFbAQyPx7Cbg2WyQ==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 17 Jun 2024 18:54:47 -0000
Received: by ary.qy (Postfix, from userid 501) id F01BB8D4BD04; Mon, 17 Jun 2024 14:54:46 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by ary.qy (Postfix) with ESMTP id 549098D4BCE6; Mon, 17 Jun 2024 14:54:46 -0400 (EDT)
Date: Mon, 17 Jun 2024 14:54:46 -0400
Message-ID: <cb32865e-ac5b-5145-c5ef-23866f58170c@iecc.com>
From: "John R. Levine" <johnl@iecc.com>
To: dnsop <dnsop@ietf.org>, draft-ietf-dnsop-zoneversion@ietf.org
X-X-Sender: johnl@ary.qy
In-Reply-To: <CAHw9_iJMCxSdXM3DKP1yN8mk-05App-CAEYnZ5xMnNOnkR3WGw@mail.gmail.com>
References: <CAHw9_iJMCxSdXM3DKP1yN8mk-05App-CAEYnZ5xMnNOnkR3WGw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="us-ascii"
Message-ID-Hash: OPWQOHLC3PE7OS4D4LTIC4GGYUNUP743
X-Message-ID-Hash: OPWQOHLC3PE7OS4D4LTIC4GGYUNUP743
X-MailFrom: johnl@iecc.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] draft-ietf-dnsop-zoneversion doesn't handle this situation
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/9WRKjs181_jZhSEbHZ-9smivcVo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

It currently says:

  A name server MAY include more than one ZONEVERSION option in the
  response if it supports multiple TYPEs. A name server MUST NOT include
  more than one ZONEVERSION option for a given TYPE.

Here is a real life example from my server sdn.iecc.com:

;; QUESTION SECTION:
;com.ws.sp.am.			IN	A

;; ANSWER SECTION:
ws.sp.am.		300	IN	DNAME	whois.services.net.
com.ws.sp.am.		300	IN	CNAME	com.whois.services.net.
com.whois.services.net.	300	IN	CNAME	whois.verisign-grs.com.

The query is for com.ws.sp.am, which is a DNAME in ws.sp.am which points
to a name in whois.services.net which is another CNAME.  Both zones are
on the same server, so it answers for both.

In this case you can tell that the first CNAME is invented from the
DNAME, but imagine if the first CNAME was actually in the ws.sp.am
zone. If you only get one CNAME version response, which one is it, and
how can the client tell which one it refers to? Or if you really mean
that there should be one response per zone rather than one per RRTYPE,
how do you match them up?

R's,
John