Re: [DNSOP] DNS Delegation Requirements
John Kristoff <jtk@cymru.com> Thu, 17 March 2016 21:45 UTC
Return-Path: <jtk@cymru.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7208A12D6B7 for <dnsop@ietfa.amsl.com>; Thu, 17 Mar 2016 14:45:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.902
X-Spam-Level:
X-Spam-Status: No, score=-6.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WQ0iWTFW1MIb for <dnsop@ietfa.amsl.com>; Thu, 17 Mar 2016 14:45:27 -0700 (PDT)
Received: from mailout.cymru.com (mailout.cymru.com [38.229.36.8]) by ietfa.amsl.com (Postfix) with ESMTP id DCFFB12D667 for <dnsop@ietf.org>; Thu, 17 Mar 2016 14:45:26 -0700 (PDT)
Received: from localhost (vpn-72-38.svcs.ord07.cymru.com [172.16.72.38]) by mailout.cymru.com (Postfix) with ESMTP id 264C946EF9F; Thu, 17 Mar 2016 21:45:25 +0000 (GMT)
Date: Thu, 17 Mar 2016 16:45:24 -0500
From: John Kristoff <jtk@cymru.com>
To: Jakob Schlyter <jakob@kirei.se>
Message-ID: <20160317164524.59a212a9@localhost>
In-Reply-To: <3A6EF5A0-928C-4F10-BD68-265DAE87F9A8@kirei.se>
References: <3A6EF5A0-928C-4F10-BD68-265DAE87F9A8@kirei.se>
User-Agent: Claws Mail
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/NzT6UvnoIbYrSaAoqyoPdVgND-Q>
Cc: dnsop <dnsop@ietf.org>, Patrik Wallström <patrik.wallstrom@iis.se>
Subject: Re: [DNSOP] DNS Delegation Requirements
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Mar 2016 21:45:28 -0000
On Mon, 8 Feb 2016 09:57:15 +0100 Jakob Schlyter <jakob@kirei.se> wrote: > At this point, we're seeking more public comments - on this mailing > list (unless the chairs disapproves), on the our issue tracker [4] or > via email to the authors. Hello Jakob and Patrik. Some comments as requested. The introduction lists 8 areas of interest. All, except "7. Name Server" have their own section in the table of contents. Oversight? This sentence is awfully confusing: Many requirements in this document deal with the properties of a nameserver that is used as part of a delegation, therefore the wording mentioning the use of a name server as part of this is omitted. First there is nameserver, then name server as two words. Which is it? More importantly, I'm not quite sure what is being said here. Can you perhaps rewrite, elaborate or provide an example? You may be interested to know that I recently submitted a draft on DNS over TCP operational requirements. If that work progresses as I hope, it might help with section 4.2 of your draft. The consistency requirements might be too strict, since it applies all zone data. While reasonable people might fret about inconsistency when things like "views", "geo-location", client-subnet and so on are in use, it might be best to limit consistency requirements to the infrastructure records (e.g. SOA, NS). Additionally, I could imagine an argument being made that all names need not respond with the same NS RRset. While generally this delegation or authority list inconsistency is often indication of a problem, it is feasible that it might be intentional and may even provide some advantage. The so-called "fast flux" invention by the miscreants taught us that. Suggesting that name servers be the same AS is often unnecessary. More important is diversity in the route announcements covering the name server addresses. Many might not even be able to easily satisfy this requirement. A few additional topics you may wish to consider: * delegated name server should be authoritative only (no rd service) * ptr names of NS addresses should match the associated A/AAAA names * name server should run NTP or equivalent so time is accurate * DNS TTLs of the NS and A/AAAA name servers MUST be consistent John
- Re: [DNSOP] DNS Delegation Requirements Warren Kumari
- Re: [DNSOP] DNS Delegation Requirements Ray Bellis
- Re: [DNSOP] DNS Delegation Requirements Patrik Wallström
- Re: [DNSOP] DNS Delegation Requirements Ólafur Guðmundsson
- Re: [DNSOP] DNS Delegation Requirements Jakob Schlyter
- Re: [DNSOP] DNS Delegation Requirements Mark Andrews
- Re: [DNSOP] DNS Delegation Requirements Shane Kerr
- Re: [DNSOP] DNS Delegation Requirements Ralf Weber
- [DNSOP] DNS Delegation Requirements Jakob Schlyter
- Re: [DNSOP] DNS Delegation Requirements Mark Andrews
- Re: [DNSOP] DNS Delegation Requirements Darcy Kevin (FCA)
- Re: [DNSOP] DNS Delegation Requirements Mark Andrews
- Re: [DNSOP] DNS Delegation Requirements Darcy Kevin (FCA)
- Re: [DNSOP] DNS Delegation Requirements Warren Kumari
- Re: [DNSOP] DNS Delegation Requirements Jacques Latour
- Re: [DNSOP] DNS Delegation Requirements Darcy Kevin (FCA)
- Re: [DNSOP] DNS Delegation Requirements George Michaelson
- Re: [DNSOP] DNS Delegation Requirements Tony Finch
- [DNSOP] normative language in BCPs Re: DNS Delega… Suzanne Woolf
- Re: [DNSOP] normative language in BCPs Re: DNS De… George Michaelson
- Re: [DNSOP] normative language in BCPs Re: DNS De… Mark Andrews
- Re: [DNSOP] DNS Delegation Requirements John Kristoff
- Re: [DNSOP] DNS Delegation Requirements Darcy Kevin (FCA)
- Re: [DNSOP] DNS Delegation Requirements Jakob Schlyter