[DNSOP] Comments on draft-dnsop-deleg-00.txt - section 2
Edward Lewis <edward.lewis@icann.org> Thu, 25 January 2024 17:18 UTC
Return-Path: <edward.lewis@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94B4CC14F60E for <dnsop@ietfa.amsl.com>; Thu, 25 Jan 2024 09:18:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 580i3huM7D76 for <dnsop@ietfa.amsl.com>; Thu, 25 Jan 2024 09:18:41 -0800 (PST)
Received: from ppa4.dc.icann.org (ppa4.dc.icann.org [192.0.46.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0EF57C14F60D for <dnsop@ietf.org>; Thu, 25 Jan 2024 09:18:40 -0800 (PST)
Received: from MBX112-W2-VA-1.pexch112.icann.org (out.mail.icann.org [64.78.48.207]) by ppa4.dc.icann.org (8.17.1.24/8.17.1.24) with ESMTPS id 40PHHofW024804 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <dnsop@ietf.org>; Thu, 25 Jan 2024 09:17:50 -0800
Received: from MBX112-E2-VA-1.pexch112.icann.org (10.217.41.128) by MBX112-E2-VA-1.pexch112.icann.org (10.217.41.128) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.28; Thu, 25 Jan 2024 12:18:39 -0500
Received: from MBX112-E2-VA-1.pexch112.icann.org ([10.217.41.128]) by MBX112-E2-VA-1.pexch112.icann.org ([10.217.41.128]) with mapi id 15.02.1258.028; Thu, 25 Jan 2024 12:18:39 -0500
From: Edward Lewis <edward.lewis@icann.org>
To: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: Comments on draft-dnsop-deleg-00.txt - section 2
Thread-Index: AQHaT7KJBW1FY/uJg0u3UUDZ62rv9w==
Date: Thu, 25 Jan 2024 17:18:39 +0000
Message-ID: <8242ED36-21E1-4882-B1B2-5CF3B5D2390E@icann.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.65.22091101
x-originating-ip: [192.0.47.234]
x-source-routing-agent: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <A76B56EA3A4163428D254667182E27F5@pexch112.icann.org>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-01-25_10,2024-01-25_01,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/EcNZyiy6bu00a3kPwU4kftbirLo>
Subject: [DNSOP] Comments on draft-dnsop-deleg-00.txt - section 2
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jan 2024 17:18:41 -0000
As I'm not writing code, my comments will be less detailed... # 2. DELEG Record Type ... # 2.1. Difference between the records # # This document uses two different resource record types. Both records # have the same functionality, with the difference between them being # that the DELEG record MUST only be used at a delegation point, while # the SVCB is used as a normal resource record and does not indicate # that the label is being delegated. For example, take the following # DELEG record: # # Zone com.: # example.com. 86400 IN DELEG 1 config2.example.net. Introducing something via an example leads to problems later on, as "definitions by example" create corner case gaps. Even though it is said that the DELEG shares the format of the SVCB record, it would be good to give the generic definition first. For one, having not read the SVCB document, the first RDATA field (1 or 0) seems to indicate whether the second field is the target for the requester or is another domain name the requester needs to consult. It's not clear what happens if this value is 2 or more. ... # The primary difference between the two records is that the DELEG # record means that anything under the record label should be queried # at the delegated server while the SVCB record is just for redirection # purposes, and any names under the record's label should still be # resolved using the same server unless otherwise delegated. Earlier it is said that the DELEG resource record is like the SVCB resource record, with some differences. When applying for an entry in the Resource Record (RR) TYPEs registry an application has to justify why a new type is needed. For this, it would be good to have a section enumerating the reasons why DELEG needs a different type than SVCB. (I know there are reasons, would be good to put them up with a generic definition of the resource record.) # 2.2. AliasMode Record Type ... # # example.com. 86400 IN DELEG 0 config1.example.net. Does the "0" mean that this is AliasMode? # 2.2.2. Loop Prevention # # The TargetName of an SVCB or DELEG record MAY be the owner of a CNAME # record. Resolvers MUST follow CNAMEs as well as further alias SVCB # records as normal, but MUST not allow more then 4 total lookups per # delegation, with the first one being the DELEG referral and then 3 # SVCB/CNAME lookups maximal. A few questions - why 4? (Besides it being tradition?) Does the count of 4 include CNAME's? What if it is DELEG CNAME CNAME CNAME SVCB CNAME CNAME CNAME? What are the practical reasons for such chains (e.g., why would an operator ever see this)? ...I'm asking in the sense that some protocol elements are defined to be as general as possible, which winds up being a code implementation headache and then operator headache with little or no payoff...I'm not denying this may be useful, but a case should be made for it. # Special care should be taken by both the zone owner and the delegated # zone operator to ensure that a lookup loop is not created by having # two AliasMode records rely on each other to serve the zone. Doing so # may result in a resolution loop, and likely a denial of service. The # mechanism on following CNAME and SVCB alias above should prevent # exhaustion of server resources. If a resolution can not be found # after 4 lookups the server should reply with a SERVFAIL error code. It seems that the intent is to count each DELEG->CNAME->SVCB transition. Okay, but the question of "why 4" still holds. # 2.3. Deployment Considerations ... # 2.3.3. Availability # # If a zone operator removes all NS records before DELEG and SVCB # records are implemented by all clients, the availability of their # zones will be impacted for the clients that are using non-supporting # resolvers. In some cases, this may be a desired quality, but should # be noted by zone owners and operators. There are application servers (web servers) that function (poorly) today where there is a delegation from a parent to a child zone that does not answer to NS records. I used to see a lot of mangled DNS implementations that would only return address records (A resource records and maybe even AAAA resource records). These situations work because of liberal resolvers, making use of the glue to send address requests to what the glue indicates, and those servers answering to A or AAAA requests. When an operator decides to go all DELEG, meaning no more NS (DS), it might look like today's "broken set up" that only answers addresses. I don't think that last sentence adequately covers the situation. I don't have a suggest now. # 2.4. Response Size Considerations # ...This has become a larger concern (meaning from the 90's to the now's) than when DNSSEC was first designed. Besides trying to make the DELEG as bitspace-efficient as possible, what can be done to simplify the use to minimize the number of DELEG/SVCB/... are needed (without getting specific here on what metric is minimized.)
- [DNSOP] Comments on draft-dnsop-deleg-00.txt - se… Edward Lewis