Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-glue-is-not-optional-00.txt

"Wessels, Duane" <dwessels@verisign.com> Fri, 05 June 2020 21:22 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FCFD3A0E10 for <dnsop@ietfa.amsl.com>; Fri, 5 Jun 2020 14:22:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OCzVBrlLtNlt for <dnsop@ietfa.amsl.com>; Fri, 5 Jun 2020 14:22:58 -0700 (PDT)
Received: from mail3.verisign.com (mail3.verisign.com [72.13.63.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A61D93A0DDF for <dnsop@ietf.org>; Fri, 5 Jun 2020 14:22:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=9401; q=dns/txt; s=VRSN; t=1591392177; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=+2HEGtgl+5MxmyMWnyUdvBpKmgwV8w8JFbas4UroLFU=; b=aO83YqlDjxNMA5AF8OwBvME2yfueYpzNQfp1j/f6VMg7ocZ8mGkOqBsI Bp1BjVJZH5Nv6OGlKS+Q1V1KoVW582qbienVXDCoMzXfE5h3HytTp9WOm ujE+03/ZKINBq/cXDzuRA7PyDEftIaLlNgb75iRCQFOpsDZPPX9s3+CIy BFjoFFp1znFDEFf+f0h0UOcXAv7bS5KjnHZcBKg6KgsTwy7PgaycWbFG+ sIn7pRcm0Y8slYv/G2cevDI46IfWbazXIC5YyAJywN3vgLXFNXX7gU7fu a63x/ququesv/NvoiySjRbk9YprdK/3s13BhOE7JVOSNNGS4Nf/eYa70O A==;
IronPort-SDR: vhIDEAKFWEYTxk26j7nttT+M4mEe2NVvGXFbmv0x5euMGgtd/TCY+wNsHRHwnonx5TSIJ/u2j3 yi+Bghzy1FnvDnMO1SDINFNiriYTg4iTorVIK9gc6l8BbdX7n+Dppl9wfnaXzE02S1l5du9psu +Ma6pUyBazhislKKXH6ilskgP8nl82+ver5XOeXmrz+eGnu8c/Yhlvf8QKXpXXky+1g25NR0oH m9PypL/pWitAZA8QcO0v+k8I1VJvKjb4XCeb3j1zaXn5Uup/aCixJLLy6LVtbcdsWm+yfbe9mQ QOQ=
X-IronPort-AV: E=Sophos; i="5.73,477,1583193600"; d="p7s'?scan'208"; a="1836692"
IronPort-PHdr: =?us-ascii?q?9a23=3A0RvW6RTO77ygQ1Tg5917EJIX6dpsv+yvbD5Q0Y?= =?us-ascii?q?Iujvd0So/mwa67ZBGBt8tkgFKBZ4jH8fUM07OQ7/m9HzVcut3Y6itKWacPfi?= =?us-ascii?q?dNsd8RkQ0kDZzNImzAB9muURYHGt9fXkRu5XCxPBsdMs//Y1rPvi/6tmZKSV?= =?us-ascii?q?3wOgVvO+v6BJPZgdip2OCu4Z3TZBhDiCagbb9oIxi6sAXcutMLjYZtJKs9xQ?= =?us-ascii?q?bFrmVGdu9L2W5mOFWfkgrm6Myt5pBj6SNQu/wg985ET6r3erkzQKJbAjo7LW?= =?us-ascii?q?07/dXnuhbfQwSB4HscSXgWnQFTAwfZ9hH6X4z+vTX8u+FgxSSVJ8z2TbQzWT?= =?us-ascii?q?S/86dmTQLjhSkbOzIl9mzcl9d9h7xHrh2/uxN/wpbUYICLO/p4YqPdZs4RSW?= =?us-ascii?q?5YUspMSyBNHoawYo0SBOQDIOlYtZHwqVsQoxWjGQmiCuDhyjFKiXHx3K01z+?= =?us-ascii?q?suHBrJ3AA8GtIDqnTUoMnrOKoUTOu7zLPIzTLGb/5O1zvy6JbHcgs6of6SWb?= =?us-ascii?q?JwatLdwlQhGQPYlFqQr5LqMz2I3ekKrmea4fRvVfm0i2E5rwFxuSOixtkyhY?= =?us-ascii?q?nTh4IV0VHE9Sp/wIovOdK4T0t7bMeiHZBNuC6UK5F4Tdk+Q2F0pik60LsGtI?= =?us-ascii?q?a4cSQUyJor2wDSZuKIfYaG5h/uVuecLzd5iX9kZr6ygxW//Favx+D4SsW50V?= =?us-ascii?q?lHoCRYntTOtX0A1Rze59aER/Z8+EqqxDiB1wfW6u5eIEA0k7LWJ4I8zrIumZ?= =?us-ascii?q?cfq0PDHjX5mEnulq+WcUIk+vSx5+T8fLrmvIGcOJFuigHlKKgunNKwAfggPg?= =?us-ascii?q?cQUGmU4+G81KXn/ULnWrlFkvo2kqzfvZvHJsobvra0DxJJ3oo59hqyDTmr3M?= =?us-ascii?q?4FkXQHIl9JYh2KgovxN13TPPz0F+qzjlawnDtx2vzLMb7sDo/QInXAlrrqYK?= =?us-ascii?q?xz5FRGyAUpyNBS/5dUCrYcL/3tQkLxr9nYDgMhMwyz3ubnFM1x1oMAVmKLBa?= =?us-ascii?q?+UKL7fv0OQ6O4yI+aCfIAbtzfhJ/Q4/fLuk2M2mVgHfamxx5cYcm23Eu54I0?= =?us-ascii?q?WDenrshM0NHnsNvgo7VODqiVuCXiBPZ3uqQq4w+is3BJ+kAIrNXIyhnbyM0S?= =?us-ascii?q?mhEpBZZW1KElWMHm3pd4WAVfcMciWSIsp5nzMZW7muVZQh1Qqwuw/+0LpqNf?= =?us-ascii?q?TU9TMCtZLiz9h15uLTlRco+TNoCMSd1nmBT3tokWMQWz82wKd/rFR/yleE0a?= =?us-ascii?q?h4hfhYGMdP5/xTTwc6Op7cw/ZmBND1XwLLZs2JR0q+QtW6HTExSco8zMIIY0?= =?us-ascii?q?ZmHNWilgvO3yu0DL8JmbyHHps08rjT3yu5G8Eo6XHG0uEFgkcnRMYHYW+hhq?= =?us-ascii?q?h73xTaGoHJ1U6ekvD5W74b2XuHy2qY1meKpwUQfBN5V6iPFSQTeUbNttn9/W?= =?us-ascii?q?vcQqWvErUoNE1KzsvUefgCUcHgkVgTHKSrA9/ZeW/k3j7oXRs=3D?=
X-IPAS-Result: =?us-ascii?q?A2FtAAB8ttpe/zCZrQpmHQEBAQEJARIBBQUBQIE4BgELA?= =?us-ascii?q?YMZK4EICodkjUGDc5YMgXwEBwEBAQEBAQEBAQMEAR8QBAEBAoECTIJ0AoI2J?= =?us-ascii?q?TYHDgIDAQELAQEBBQEBAQEBBgMBAQEChkQMgjspAXB9AQEBAQEBAQEBAQEBA?= =?us-ascii?q?QEBAQEBAQEWAoEHDTUBAQEBAgF5BQsCAQgTBS4CMCUCBA4FDoMYAYJcEbIqd?= =?us-ascii?q?IE0hAI4AYEWhTQQgTgBgVKLE4FCPoE4HIJNPoRNGCeDCYItBI8liTGbKAMHg?= =?us-ascii?q?lmEI4JTgUCQTh2DfJpFmUOIGYhvcoNNAgQCBAUCFYFaBoIDcBVlAYI+CTUSF?= =?us-ascii?q?wINkHiDOoRZO4VCdDcCBggBAQMJjjmBEAEB?=
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Fri, 5 Jun 2020 17:22:55 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1913.005; Fri, 5 Jun 2020 17:22:55 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: John Levine <johnl@taugh.com>
CC: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-glue-is-not-optional-00.txt
Thread-Index: AQHWO2sgov9vEBWaNkujzhvdZPMYDajKsvQAgAAMfoCAAAu4AA==
Date: Fri, 5 Jun 2020 21:22:55 +0000
Message-ID: <586EA877-975E-4D76-BAD7-7E4DD0B07699@verisign.com>
References: <20200605204057.E46CD1A34F01@ary.qy>
In-Reply-To: <20200605204057.E46CD1A34F01@ary.qy>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.104.14)
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_47CDF47A-A1F1-4715-913C-AE9435583C65"; protocol="application/pkcs7-signature"; micalg=sha-256
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/EIXx56c3_oYAbZ83CrhjEj9zsQk>
Subject: Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-glue-is-not-optional-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jun 2020 21:22:59 -0000


> On Jun 5, 2020, at 1:40 PM, John Levine <johnl@taugh.com> wrote:
> 
> In article <5E86E9EE-A022-44F0-9483-F498A03C39C4@verisign.com> you write:
>>> The current document is indeed ambiguous. I propose that it be changed to:
>>>  If all glue RRs do not fit, set TC=1 in the header.
>> 
>> I believe this is contrary to how most authoritative DNS software works today, isn't it?
> 
> I hope not. If it sends only part of the glue without a hint that
> there's more if they requery, that's a recipe for failure. People sent
> some examples last week.
> 

Here's one example, 0124.org which has five in-domain name servers with glue:

$ for sz in `seq 604 16 700`; do echo -n "BUFSIZE $sz " ; dig +norec +ignore +dnssec +bufsize=$sz @199.19.57.1 0124.org | grep ';; flags:' ; done
BUFSIZE 604 ;; flags: qr tc; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
BUFSIZE 620 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 1
BUFSIZE 636 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 2
BUFSIZE 652 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 3
BUFSIZE 668 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 4
BUFSIZE 684 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 5
BUFSIZE 700 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 6

Note that one of the Additional RRs is always the OPT RR.

And from everyone's favorite, the root servers:

$ for s in a b c d e f g h i j k l m ; do echo -n "$s  " ; dig @$s.root-servers.net +dnssec +norec +ignore +bufsize=700 example.com | grep ';; flags:' ; done
a  ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 5
b  ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 5
c  ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 5
d  ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 7
e  ;; flags: qr tc; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 5
f  ;; flags: qr tc; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 5
g  ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 5
h  ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 7
i  ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 5
j  ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 5
k  ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 7
l  ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 7
m  ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 7



DW