IETF Logo Mail Archive

Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional-07 vs. sibling glue

"Wessels, Duane" <dwessels@verisign.com> Wed, 29 March 2023 01:58 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83898C14CE4D for <dnsop@ietfa.amsl.com>; Tue, 28 Mar 2023 18:58:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id goZKZ6ru5o17 for <dnsop@ietfa.amsl.com>; Tue, 28 Mar 2023 18:58:36 -0700 (PDT)
Received: from mail4.verisign.com (mail4.verisign.com [69.58.187.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FE35C15153D for <dnsop@ietf.org>; Tue, 28 Mar 2023 18:58:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=4652; q=dns/txt; s=VRSN; t=1680055117; h=from:to:cc:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version:subject; bh=tkHbnGtDSVh940PRXO98qT10u5DnFru5nv6xayhiVrg=; b=Z0HL8SKzEF8+boB7Zzk4SPPU6i0ZsB/hRLkUStr+T8HCaXs/RoLejodB ooDBzuyymQMN56jTCl6wLORQ6lMvqlPqa/gA8me7hcEOhNN14mnZSDOsi BxvZsb5zbQKvAijY+s35n+3cCNuXEBmK0i7gdOkg/eOBfNDSBiuNKB/Rl sirvY1ns0LFM7l+kyERSOeEjkhMglXd4f4YSiuJ7FvkbjmF9GdT+vmHwY btQHxdVHhP0QhzSaCyGEt6TVy0wDTXIHqTNOQSV20y3FRb4LxtwoK/Ftb zW0nmpBHuDxKD2qVmz0av7DzWoE/BCGBIyTF84nhMZsPfp0UmOkifIjBI A==;
IronPort-Data: A9a23:NFYkk6PktxQ41AjvrR3FlsFynXyQoLVcMsEvi/4bfWQNrUojhGYOz jFJDW/XPv7cZWH2fYx2b9nj9xtUucWHzdZnHAZtpSBmQkwRpJueD7x1DKtS0wC6dZSfER09v 63yTvGacajYm1eF/k/F3oDJ9CU6j+fQLlbFILasEjhrQgN5QzsWhxtmmuoo6qZlmtHR7zml4 LsemOWCfg71s9JIGjhMsfnb80k/5KiaVA4w5TTSW9ga5DcyqFFIVPrzFYnpR1PkT49dGPKNR uqr5NlVKUuAon/Bovv8+lrKWhViroz6ZGBiuVIPM0SWuSWukwRpukoNHKFFNRoI0WXhc+dZk 72hvbToIesgFvOUxLRFC3G0GQkmVUFN0OevzXRSLaV/ZqAJGpfh66wGMa04AWEX0s9NEEpC2 +4VFB8yMxmigb+Vh6/jRvY506zPLOGzVG8eklta62jmK9sWGcqFXa7N/8ce1Tt2mNpVG7DVY M9xhThHNUyGOkIUfA5KU9RizY9EhVGmG9FcgF6KqLEs7mzI5BJ8yrn2MdXTPNeNQK25m27C/ jOapjigWXn2MvTP7jmfwl6hp9OIgB35QYYJL52V68dD1Qj7Kms7TUd+uUGAieK5l1ejVvpQL kUV/mwlqq1a3ECtVd7ldxy1vHDCuQQTM+e8CMUw8gfU1azZ817DQ3MaVHhEacdjvshwTyYsj xmXhcjvQzdotdV5VE6gy1tdlhvqUQB9EIPITXZsodctizU7nLwOsw==
IronPort-HdrOrdr: A9a23:EKGSs655VbOvnaiNSgPXwBXXdLJyesId70hD6qkXc20xTiX4rb HNoB1173/JYVoqNk3I+uruBEDoexq1yXcf2/hzAV7NZmjbkVrtAo1k4ZDr3jHsXwbvn9Qw6Y 5QN4xzEsf5A1Q/r8rriTPTL/8QhP2K6rqhi+ub9WpqVg0CUcxdxh10ERmWCXd7QwR6BZ40fa D22vZ6
X-IronPort-AV: E=Sophos;i="5.98,299,1673931600"; d="scan'208";a="20941413"
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.23; Tue, 28 Mar 2023 21:58:35 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([10.173.153.48]) by BRN1WNEX01.vcorp.ad.vrsn.com ([10.173.153.48]) with mapi id 15.01.2507.023; Tue, 28 Mar 2023 21:58:35 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: Shumon Huque <shuque@gmail.com>
CC: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] [DNSOP] draft-ietf-dnsop-glue-is-not-optional-07 vs. sibling glue
Thread-Index: AQHZYeH4QS0DfnLQXkCle7repNW3Iw==
Date: Wed, 29 Mar 2023 01:58:34 +0000
Message-ID: <FD4826E8-089F-46D0-B2B5-06B06346F72A@verisign.com>
References: <166433321065.7033.7906557321120388211@ietfa.amsl.com> <a124badc-7723-904f-3716-6be2a121360@nohats.ca> <Y+7jR1ouKD6w8V49@straasha.imrryr.org> <Y/RXcLmPouKn5DJW@straasha.imrryr.org> <920A70B5-EF6F-463D-B62B-BC29C4C0210D@fl1ger.de> <CAHPuVdW-mA=M+zh1nvRKr12w5wnxG2+bL0Vbc52DwRykare+Ng@mail.gmail.com> <ZCHkFGDj0CrEx3o1@straasha.imrryr.org> <CAHPuVdUY+eUmeWw8x+yfbTSxr4aavzxtuEqKGEoB=gpVhLR1gg@mail.gmail.com> <9743fe5f-dc3b-1241-cd2d-96649939adf6@desec.io> <CAAiTEH-7erdiQrxW1FXcy_zhWxsf60XhPp66yyfWnzhOKPDJmA@mail.gmail.com> <CAHPuVdUCssTsMc=FrKMrDB8N-P98crYe03NKU5-BtV47LgR9UA@mail.gmail.com>
In-Reply-To: <CAHPuVdUCssTsMc=FrKMrDB8N-P98crYe03NKU5-BtV47LgR9UA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3696.120.41.1.2)
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="utf-8"
Content-ID: <B8838AB6820F2942BFACE7C12CFE7F5F@verisign.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/KFuKSX2NJwovlSH2EtWJxqAUIPk>
Subject: Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional-07 vs. sibling glue
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Mar 2023 01:58:40 -0000


> On Mar 29, 2023, at 10:53 AM, Shumon Huque <shuque@gmail.com> wrote:
> 
> On Tue, Mar 28, 2023 at 9:51 PM Matthew Pounsett <matt@conundrum.com> wrote:
> 
> On Tue, Mar 28, 2023 at 8:24 AM Peter Thomassen <peter@desec.io> wrote:
> 
> 
> On 3/28/23 03:14, Shumon Huque wrote:
> > On Tue, Mar 28, 2023 at 3:45 AM Viktor Dukhovni <ietf-dane@dukhovni.org <mailto:ietf-dane@dukhovni.org>> wrote:
> > 
> >     On Wed, Mar 01, 2023 at 04:27:31PM -0500, Shumon Huque wrote:
> >     Can we at least state that domains with cyclic dependencies are a bad
> >     idea, and may not be supported by all resolvers.  In other words, that
> >     the domain owner can't **rely** on the sibling glue recommended to be
> >     sent in this draft to save the day.
> > 
> >     My strong preference is still to delete all reference in the draft to
> >     cyclic dependencies (i.e. not enshrine bad practice).  Which leaves
> >     sibling glue primarily as a performance optimisation, and secondarily
> >     as a last resort when the nameserver IP addresses are wrong or gone
> >     from the authoritative zone (another bad practice).
> > 
> > 
> > Viktor - I've so far not seen many other people speak up in support of your
> > position. I suspect this is because this draft was discussed to death many
> > months ago during long discussion threads on the list, and there is likely
> > already rough consensus for the current content. Personally, I would be ok
> > with adding a statement that configurations involving cyclic dependencies
> > are not recommended, but others will likely have to also speak up in support
> > of this too.
> 
> I support adding such a statement about cyclic dependencies.
> 
> As do I. 
>  
> 
> In addition, I would support saying that data suggests that, while (non-cyclic) glue records may have a benefit in certain cases, they frequently are a source of harm (time-outs), and the trade-off remains unclear.
> 
> I would support this as well.
> 
> In my anecdotal experience as an operator, I routinely encounter mismatches in sibling glue and child zone NS sets that appear to be due to the glue being forgotten.  My assumption is that, because it's not necessary to operate, when operators fail to update it they don't receive any kind of signal that something is wrong.
> 
> Viktor's numbers are pretty clear data, though, so nobody should need my anecdotes to be convinced.  While sibling glue may be a useful optimisation in some cases, given how poorly maintained it is it seems to cause more problems than it solves.
> 
> 
> I'd like to remind folks that the scope of this draft when it was adopted by the working group was very narrow. Mainly to say that 'required' glue must set TC=1 if it doesn't fit into the DNS response payload. That required talking about other types of non-mandatory glue like sibling, but has not proposed to change authoritative server behavior in those areas.
> 
> If folks want to deprecate sibling glue entirely, it would be best to write another draft saying that and see if we can get consensus on that.
> 

I agree with this position.  The scope of the draft is about message size and behavior when glue records don’t fit.  Although the “glue is not optional” name is catchy, in hindsight I think a different name would better reflect the intent of the document.

DW

v2.23.0 | Report a Bug | By Email