[DNSOP] Clarifying referrals (#35)

Andrew Sullivan <ajs@anvilwalrusden.com> Sun, 12 November 2017 07:55 UTC

Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 4E09A1293D9 for <dnsop@ietfa.amsl.com>; Sat, 11 Nov 2017 23:55:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=yitter.info header.b=eeZ83tFF; dkim=pass (1024-bit key) header.d=yitter.info header.b=Lq5mFUMd
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id Yaqn5l0rDFlC for <dnsop@ietfa.amsl.com>; Sat, 11 Nov 2017 23:54:52 -0800 (PST)
Received: from mx4.yitter.info (mx4.yitter.info []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72CFC129412 for <dnsop@ietf.org>; Sat, 11 Nov 2017 23:54:52 -0800 (PST)
Received: from localhost (localhost []) by mx4.yitter.info (Postfix) with ESMTP id 997F4BF56C for <dnsop@ietf.org>; Sun, 12 Nov 2017 07:54:51 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1510473291; bh=nzEXPO/KEhG3yeevwaCjc/okDkKedn5lS1lWHwIkd2o=; h=Date:From:To:Subject:From; b=eeZ83tFFzDaDLQS5pgnye0DQZds7dgrUIY11qILuLzxjPmlKSIMWhMR+EKNShf4jH PzvPJBPtJJxDYwJJ2i9iFynD9uA/rbXiH9I8S70nKJoI3Jza5hkPqGS/TQ3RUULiuh 8SIqtEETodQK9cqnw/A2HQhfAZLiFjMD5mAxDPSQ=
X-Virus-Scanned: Debian amavisd-new at crankycanuck.ca
Received: from mx4.yitter.info ([]) by localhost (mx4.yitter.info []) (amavisd-new, port 10024) with ESMTP id kfmoRYDtQGzZ for <dnsop@ietf.org>; Sun, 12 Nov 2017 07:54:50 +0000 (UTC)
Date: Sun, 12 Nov 2017 02:54:46 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1510473290; bh=nzEXPO/KEhG3yeevwaCjc/okDkKedn5lS1lWHwIkd2o=; h=Date:From:To:Subject:From; b=Lq5mFUMdYCvvOI+BxOI8iDuwDVP2LBX55aqcru3SaWACGBjqEAESvzGFmnFXRLnIl MRuGAAsJpwnzke2f6/Ccppal1+o0CyrI0axiCc7wMZeSgqm+3pn/36CT66513Pv9ZN vF61ENenFp2egCLjPOLUjhNpk1ZtWlt/qQTZOaSg=
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dnsop@ietf.org
Message-ID: <20171112075445.tf2ut5dxzhhnqe7l@mx4.yitter.info>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/NR9Dg028GTqfcTNES8UcYFbDplI>
Subject: [DNSOP] Clarifying referrals (#35)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Nov 2017 07:55:02 -0000

Dear colleagues,

In github tracker issue #35
we have an item about the way Referral is defined in RFC 7719.  The
issue mostly comes from the (as usual incisive) observations of Tony
Finch.  I think he's right.

I think a change is in order, but I'm not fully convinced of the
following text, so that's why I'm putting it here for discussion.  My
co-editors do not deserve the brickbats, so fling them at me.  There
are questions at the end of this proposed text, because there are two
issues about which I am very much in doubt and I'm too lazy to
convince myself of the right answer when I can just ask everyone.

---%<---cut here---

Referral: A type of response in which a server, signalling that it is
not authoritative for an answer, provides the querying resolver with
an alternative place to send its query.

All referral responses follow the same form.  The response has the AA
bit cleared.  It has an empty Answer section.  It has an Authority
section containing an RRset in which the owner name is the referred-to
zone, the class is the queried class, the type is NS, and the RDATA
holds the nameservers for the referred-to owner name as known by the
responding server.  The response might also have an Additonal section
containing glue records.

There are two types of referral response.  The first is a delegation
referral (sometimes described as "delegation response"), where the
server is authoritative for some portion of the QNAME.  The Authority
section RRset's RDATA contains the name servers specified at the zone
cut.  In normal DNS operation, this kind of response is required in
order to find names beneath a delegation.

The second is a non-delegation referral (sometimes described as
"referral response", as distinct from the delegation response above),
where the server is not authoritative for any portion of the QNAME.
In this case, the referred-to zone in the Authority section is
usually[1] the root zone (.).  In normal DNS operation, this kind of
response is not strictly speaking required to work, and in practice
some authoritative server operators will not return referral responses
beyond those required for delegation.

---cut here--->%---

First, on [1], it seems to me that in principle it ought to be
possible for this sort of referral to refer to something other than
. , but I can't come up with an example where it happens or really
ought to happen.  Is this case actually necessarily a referral to the
root?  (In that case, also, the name of this type should be "root
referral", I guess?)

Second, is there any circumstance in which glue in a non-delegation
referral ought not to be treated as possible poison, and just thrown
away?  It seems to me that a root referral ought automatically to
cause the resolver to go to the results of a priming query and follow
that chain.  No?  Also, maybe that's not a terminological issue, and
so it ought to be left out of the document anyway.  In any case, I
seek guidance from the WG.

Best regards,


Andrew Sullivan