Re: [DNSOP] DNS terminology: "In-bailiwick response", "Out-of-bailiwick response"

Paul Hoffman <paul.hoffman@vpnc.org> Thu, 19 March 2015 00:22 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64ECC1AC3B5 for <dnsop@ietfa.amsl.com>; Wed, 18 Mar 2015 17:22:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.347
X-Spam-Level:
X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 26hSYdVN6P6o for <dnsop@ietfa.amsl.com>; Wed, 18 Mar 2015 17:22:44 -0700 (PDT)
Received: from proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57D9D1AC3B2 for <dnsop@ietf.org>; Wed, 18 Mar 2015 17:22:44 -0700 (PDT)
Received: from [10.20.30.101] (50-1-51-95.dsl.dynamic.fusionbroadband.com [50.1.51.95]) (authenticated bits=0) by proper.com (8.15.1/8.14.9) with ESMTPSA id t2J0MgUI051247 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 18 Mar 2015 17:22:43 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: proper.com: Host 50-1-51-95.dsl.dynamic.fusionbroadband.com [50.1.51.95] claimed to be [10.20.30.101]
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <20150318212949.GA22886@mycre.ws>
Date: Wed, 18 Mar 2015 17:22:41 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <C3E84A72-AD36-4574-ADE5-646ECF7754D3@vpnc.org>
References: <20150318025644.GA10290@mycre.ws> <20150318212949.GA22886@mycre.ws>
To: Robert Edmonds <edmonds@mycre.ws>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/KSWDkQ1n4XN9BV7qkg0a6BvPxPU>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] DNS terminology: "In-bailiwick response", "Out-of-bailiwick response"
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Mar 2015 00:22:48 -0000

On Mar 18, 2015, at 2:29 PM, Robert Edmonds <edmonds@mycre.ws> wrote:
> draft-hoffman-dns-terminology-02 has the following definitions:
> 
>   In-bailiwick response -- A response in which the name server
>   answering is authoritative for an ancestor of the owner name in the
>   response.  The term normally is used when discussing the relevancy of
>   glue records.  For example, the parent zone example.com might reply
>   with glue records for ns.child.example.com.  Because the
>   child.example.com zone is a descendant of the example.com zone, the
>   glue is in-bailiwick.
> 
>   Out-of-bailiwick response -- A response in which the name server
>   answering is not authoritative for an ancestor of the owner name in
>   the response.
> 
> A few comments:
> 
> * A zone can't send a reply; the authoritative server for a zone can.
> 
> * "Response" isn't defined(!), nor is "reply".  I was (pedantically)
>   thinking of an RFC 1035 §4 message with the QR bit set to 1 at first,
>   but that doesn't fit well in the context of "the owner name in the
>   response", because a response message can contain RRs with different
>   owner names, and records within a response message can be
>   individually considered in-bailiwick or out-of-bailiwick.  It would
>   be good to clarify which owner name is being compared.
> 
> * RFC 5452 §6, though it uses "in-domain" rather than "in-bailiwick",
>   uses the concept of "deeming" the authoritativeness of a record.
>   RFC 3833 §2.3 refers to "the long-standing defense of checking RRs in
>   response messages for relevance to the original query".  I think
>   these two RFCs are alluding to the same or a similar bailiwick
>   concept being defined here.
> 
>   Is "in-bailiwick" / "out-of-bailiwick" a property of the data in the
>   DNS and how authoritative servers are configured to use it, or is it
>   a determination (a "deeming") by a recursive server that the data has
>   this property?  I favor the latter, because it is useful to have
>   dedicated terminology for the process of determining a server's
>   authority, but maybe a separate definition would be helpful:
> 
>   Bailiwick checking -- The process of determining whether a record in
>   a response message should be considered "in-bailiwick" or
>   "out-of-bailiwick".

Ah, the joys of defining terms that have been used a long time, but almost never in RFCs. Grep all the RFCs: you'll see "bailiwick" is used, but not defined, in RFC 6763 and 7477, and nowhere else.

I think "response" and "reply" don't need to be defined, but they do need to be used more carefully, and we didn't do that here, I think (but my co-authors might disagree with me). From looking at your concerns and the general use of "bailiwick", I propose that it is records, not responses, that in- or out-of.

Further, I disagree with this being about "deeming". There is a simple rule (the owner name is a subzone of the answer), whereas "deeming" indicates that there might be other logic that is not given here.

Proposed rewording, quite open to editing or reversion:

In-bailiwick -- A glue record in which the name server answering is authoritative for an ancestor of the owner name in the record.  The term normally is used when discussing the relevancy of glue records.  For example, the server for the parent zone example.com might reply with glue records for ns.child.example.com.  Because the child.example.com zone is a descendant of the example.com zone, both glue records in-bailiwick.

Out-of-bailiwick -- A glue record in which the name server answering is not authoritative for an ancestor of the owner name of the record.

--Paul Hoffman