Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional-07 vs. sibling glue
Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 21 February 2023 05:32 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD0F6C14CF1B for <dnsop@ietfa.amsl.com>; Mon, 20 Feb 2023 21:32:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SP250x3CYJh3 for <dnsop@ietfa.amsl.com>; Mon, 20 Feb 2023 21:32:34 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4709C14CEED for <dnsop@ietf.org>; Mon, 20 Feb 2023 21:32:33 -0800 (PST)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 71D8C11CA6C; Tue, 21 Feb 2023 00:32:32 -0500 (EST)
Date: Tue, 21 Feb 2023 00:32:32 -0500
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dnsop@ietf.org
Message-ID: <Y/RXcLmPouKn5DJW@straasha.imrryr.org>
Reply-To: dnsop@ietf.org
References: <166433321065.7033.7906557321120388211@ietfa.amsl.com> <a124badc-7723-904f-3716-6be2a121360@nohats.ca> <Y+7jR1ouKD6w8V49@straasha.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <Y+7jR1ouKD6w8V49@straasha.imrryr.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/EBT2_wg8XJkArA1boRX7GNSKdKw>
Subject: Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional-07 vs. sibling glue
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Feb 2023 05:32:35 -0000
On Thu, Feb 16, 2023 at 09:15:35PM -0500, Viktor Dukhovni wrote: > There are many more. We see a steady stream of sibling-glue-related > lookup failures, that are only resolved after going to the authoritative > source for the actual IP addresses of the nameservers in question. I undertook a more comprehensive look, with the .ORG TLD as a case in point. There I find: 1. 349,332 unique host objects with one or more A or AAAA records. 2. 80,427 are in-bailiwick nameservers of their domain. 3. 6,466 are not nameservers of an ancestor .org name so only useful as "sibling glue". 4. The remaining 262,575 appear to be garbage, detached from any .org delegation's nameserver name! Why these are still in the zone is rather a mystery. This leaves 6,466 cases to examine more closely: 1. 3,773 are in complete agreement with the authoritative A/AAAA records. 2. 1,447 have authoritative A/AAAA records completely distinct from the sibling glue. 3. 1,414 return NXDOMAIN from the auth zone! 4. 74 return NODATA from the auth zone for both A and AAAA! 5. 213 return SERFAIL from the auth zone A and AAAA lookups. Of the above, case "1" could perhaps reduce latency, but is otherwise redundant (modulo exceedingly rare cyclic depedendencies). So the question is whether in "2" the authoritative or sibling glue IPs are in practice correct, and whether the auth A/AAAA resolution failures from "3", "4" and "5" are better served by the sibling glue. To that end, I took a random sample of 20 sibling NS names. These had 25 auth addresses and 21 sibling glue addresses. Querying a domain each host is supposed to serve yields the below stats: AUTH | GLUE +------|----- LIVE | 8 | 2 LAME | 4 | 0 TIMEOUT | 13 | 19 Of the 2 working sibling glue cases, one was also handled by the corresponding auth IP. So in this random sample, the sibling glue was only "better" 1 in 20 times, with 7 worse and the rest no difference (mostly timeouts). So far, this does not look like a compelling argument for serving sibling glue... For cases "3", "4" and "5" I took 20 random nameservers of each type, for a total of 62 associated sibling glue IPs. Querying each for a name it is expected to serve the stats are: NOERROR: 6 TIMEOUT: 44 REFUSED: 10 SERVFAIL: 2 Again, the sibling glue is mostly no better than nothing, but ~10% of the sampled cases worked out. Overall, I think the world would be better served without the sibling glue, the incentives to keep it accurate are poorly aligned. As suspected, where it differs from the authoritative data, it is almost entirely junk. -- Viktor.
- [DNSOP] I-D Action: draft-ietf-dnsop-glue-is-not-… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-glue-is-… Paul Wouters
- [DNSOP] draft-ietf-dnsop-glue-is-not-optional-07 … Viktor Dukhovni
- Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional… Viktor Dukhovni
- Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional… Masataka Ohta
- Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional… Viktor Dukhovni
- Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional… Ralf Weber
- Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional… Viktor Dukhovni
- Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional… Shumon Huque
- Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional… Viktor Dukhovni
- Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional… Viktor Dukhovni
- Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional… Shumon Huque
- Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional… Peter Thomassen
- Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional… Matthew Pounsett
- Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional… Shumon Huque
- Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional… Wessels, Duane
- Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional… Tim Wicinski
- Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional… Puneet Sood
- Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional… Puneet Sood
- Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional… Puneet Sood
- Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional… Mark Andrews
- Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional… Puneet Sood
- Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional… Mark Andrews
- Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional… Mark Andrews
- Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional… Frederico A C Neves
- Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional… Shumon Huque
- Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional… Shumon Huque