IETF Logo Mail Archive

Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional-07 vs. sibling glue

Shumon Huque <shuque@gmail.com> Wed, 29 March 2023 01:54 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FC5AC14CE4D for <dnsop@ietfa.amsl.com>; Tue, 28 Mar 2023 18:54:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iLTX6FDivog3 for <dnsop@ietfa.amsl.com>; Tue, 28 Mar 2023 18:54:02 -0700 (PDT)
Received: from mail-yb1-xb2a.google.com (mail-yb1-xb2a.google.com [IPv6:2607:f8b0:4864:20::b2a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B87F5C14CE27 for <dnsop@ietf.org>; Tue, 28 Mar 2023 18:54:02 -0700 (PDT)
Received: by mail-yb1-xb2a.google.com with SMTP id e65so17534735ybh.10 for <dnsop@ietf.org>; Tue, 28 Mar 2023 18:54:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1680054841; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=KLSZftX+r0APU8tuNVO1go49URtxYdoAoieYrfSIbuo=; b=XQYY8nSYdS24ijJQIvS+t4GlGdy7J2OtV7795fkeEZYZ8/RFs2zIh0nsW8CBngYTW0 cbg7bxLz1T7kWSCX3dd9V6jH2ajTfPYMISnIYKV8eseBrn3iPzkVG3ltqXCtiH+UM/H9 9BVglC1nkjM1SzwCH4EtIEgoMd059nXjOLi3ynCpOizjdy4kyAY7LtiSC2SqeEfXgVxx zW+RKynnCuTMhwY1JpZ3kMv+fdsM4jcn8iBgsvMKaGwjgA8xHXMqdATIwLJtKaAZoSTj cbz0VzU7itUNugvnfqdbBb05QsvnUh0Hcc2Z8UZq/ltjcjIpUUPIBfeo6F7V3t4+CUtZ 8gGg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680054841; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=KLSZftX+r0APU8tuNVO1go49URtxYdoAoieYrfSIbuo=; b=qwAEpdWmrBhVreXt2icgaYcPyTUl5cgFYk6y9oV5msjLj2mPtpSp8ge5W1+3P6nXpF koGf+SWxaCbSHBrVnecNz++Jz2GrDGF1Up0xreGEHV87GZePHtQtovNmXewbPJoKfqHj 2fKzMVPqlMjzGzJG8yxHxU9fDpY5GRqmwXWn9FObtzJCs+gXC/mYgklRY4NhN+CRK2MC IAilP04V0SzlJkzuX8CL7EFirUYNwUNmCznfS5AV2ptihCCBkJX2jQIE409bUKLFj0mW LWSFKWr45l0sm86GpmrZCUpx5p9Tr4RWOAgut3cRh/vZfidfBNtF2dubsCvsrAJRNpoA 38fw==
X-Gm-Message-State: AAQBX9e9eoFqEyFWp4ZU1i3XbUEaataskLXmAN6baS59JYfS2OkelPm+ PMoaHBX2que8YuV2uCklKcLcNGsxOrwUvA9cF92BOHiquC4=
X-Google-Smtp-Source: AKy350bYPMEMA1XBjM9MzmpapY9cLY0hPlr0bbta6xK4iPYjimVJv/evIrMl+FqxLOGbkFr6zfqz0SZF9lHHOaHtIQo=
X-Received: by 2002:a25:e08a:0:b0:b72:fff0:2f7f with SMTP id x132-20020a25e08a000000b00b72fff02f7fmr439116ybg.4.1680054841238; Tue, 28 Mar 2023 18:54:01 -0700 (PDT)
MIME-Version: 1.0
References: <166433321065.7033.7906557321120388211@ietfa.amsl.com> <a124badc-7723-904f-3716-6be2a121360@nohats.ca> <Y+7jR1ouKD6w8V49@straasha.imrryr.org> <Y/RXcLmPouKn5DJW@straasha.imrryr.org> <920A70B5-EF6F-463D-B62B-BC29C4C0210D@fl1ger.de> <CAHPuVdW-mA=M+zh1nvRKr12w5wnxG2+bL0Vbc52DwRykare+Ng@mail.gmail.com> <ZCHkFGDj0CrEx3o1@straasha.imrryr.org> <CAHPuVdUY+eUmeWw8x+yfbTSxr4aavzxtuEqKGEoB=gpVhLR1gg@mail.gmail.com> <9743fe5f-dc3b-1241-cd2d-96649939adf6@desec.io> <CAAiTEH-7erdiQrxW1FXcy_zhWxsf60XhPp66yyfWnzhOKPDJmA@mail.gmail.com>
In-Reply-To: <CAAiTEH-7erdiQrxW1FXcy_zhWxsf60XhPp66yyfWnzhOKPDJmA@mail.gmail.com>
From: Shumon Huque <shuque@gmail.com>
Date: Wed, 29 Mar 2023 10:53:49 +0900
Message-ID: <CAHPuVdUCssTsMc=FrKMrDB8N-P98crYe03NKU5-BtV47LgR9UA@mail.gmail.com>
To: dnsop@ietf.org
Content-Type: multipart/alternative; boundary="00000000000003e9ad05f80040ec"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Et7PjCG7KyPunmB2cYLgZY3q62Q>
Subject: Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional-07 vs. sibling glue
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Mar 2023 01:54:07 -0000

On Tue, Mar 28, 2023 at 9:51 PM Matthew Pounsett <matt@conundrum.com> wrote:

>
> On Tue, Mar 28, 2023 at 8:24 AM Peter Thomassen <peter@desec.io> wrote:
>
>>
>>
>> On 3/28/23 03:14, Shumon Huque wrote:
>> > On Tue, Mar 28, 2023 at 3:45 AM Viktor Dukhovni <ietf-dane@dukhovni.org
>> <mailto:ietf-dane@dukhovni.org>> wrote:
>> >
>> >     On Wed, Mar 01, 2023 at 04:27:31PM -0500, Shumon Huque wrote:
>> >     Can we at least state that domains with cyclic dependencies are a
>> bad
>> >     idea, and may not be supported by all resolvers.  In other words,
>> that
>> >     the domain owner can't **rely** on the sibling glue recommended to
>> be
>> >     sent in this draft to save the day.
>> >
>> >     My strong preference is still to delete all reference in the draft
>> to
>> >     cyclic dependencies (i.e. not enshrine bad practice).  Which leaves
>> >     sibling glue primarily as a performance optimisation, and
>> secondarily
>> >     as a last resort when the nameserver IP addresses are wrong or gone
>> >     from the authoritative zone (another bad practice).
>> >
>> >
>> > Viktor - I've so far not seen many other people speak up in support of
>> your
>> > position. I suspect this is because this draft was discussed to death
>> many
>> > months ago during long discussion threads on the list, and there is
>> likely
>> > already rough consensus for the current content. Personally, I would be
>> ok
>> > with adding a statement that configurations involving cyclic
>> dependencies
>> > are not recommended, but others will likely have to also speak up in
>> support
>> > of this too.
>>
>> I support adding such a statement about cyclic dependencies.
>>
>
> As do I.
>

>
>>
>> In addition, I would support saying that data suggests that, while
>> (non-cyclic) glue records may have a benefit in certain cases, they
>> frequently are a source of harm (time-outs), and the trade-off remains
>> unclear.
>>
>
> I would support this as well.
>
> In my anecdotal experience as an operator, I routinely encounter
> mismatches in sibling glue and child zone NS sets that appear to be due to
> the glue being forgotten.  My assumption is that, because it's not
> necessary to operate, when operators fail to update it they don't receive
> any kind of signal that something is wrong.
>
> Viktor's numbers are pretty clear data, though, so nobody should need my
> anecdotes to be convinced.  While sibling glue may be a useful optimisation
> in some cases, given how poorly maintained it is it seems to cause more
> problems than it solves.
>
>
I'd like to remind folks that the scope of this draft when it was adopted
by the working group was very narrow. Mainly to say that 'required' glue
must set TC=1 if it doesn't fit into the DNS response payload. That
required talking about other types of non-mandatory glue like sibling, but
has not proposed to change authoritative server behavior in those areas.

If folks want to deprecate sibling glue entirely, it would be best to write
another draft saying that and see if we can get consensus on that.

Shumon.

v2.23.0 | Report a Bug | By Email