IETF Logo Mail Archive

Re: [DNSOP] DNS Delegation Requirements

John Kristoff <jtk@cymru.com> Thu, 17 March 2016 21:45 UTC

Return-Path: <jtk@cymru.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7208A12D6B7 for <dnsop@ietfa.amsl.com>; Thu, 17 Mar 2016 14:45:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.902
X-Spam-Level:
X-Spam-Status: No, score=-6.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WQ0iWTFW1MIb for <dnsop@ietfa.amsl.com>; Thu, 17 Mar 2016 14:45:27 -0700 (PDT)
Received: from mailout.cymru.com (mailout.cymru.com [38.229.36.8]) by ietfa.amsl.com (Postfix) with ESMTP id DCFFB12D667 for <dnsop@ietf.org>; Thu, 17 Mar 2016 14:45:26 -0700 (PDT)
Received: from localhost (vpn-72-38.svcs.ord07.cymru.com [172.16.72.38]) by mailout.cymru.com (Postfix) with ESMTP id 264C946EF9F; Thu, 17 Mar 2016 21:45:25 +0000 (GMT)
Date: Thu, 17 Mar 2016 16:45:24 -0500
From: John Kristoff <jtk@cymru.com>
To: Jakob Schlyter <jakob@kirei.se>
Message-ID: <20160317164524.59a212a9@localhost>
In-Reply-To: <3A6EF5A0-928C-4F10-BD68-265DAE87F9A8@kirei.se>
References: <3A6EF5A0-928C-4F10-BD68-265DAE87F9A8@kirei.se>
User-Agent: Claws Mail
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/NzT6UvnoIbYrSaAoqyoPdVgND-Q>
Cc: dnsop <dnsop@ietf.org>, Patrik Wallström <patrik.wallstrom@iis.se>
Subject: Re: [DNSOP] DNS Delegation Requirements
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Mar 2016 21:45:28 -0000

On Mon, 8 Feb 2016 09:57:15 +0100
Jakob Schlyter <jakob@kirei.se> wrote:

> At this point, we're seeking more public comments - on this mailing
> list (unless the chairs disapproves), on the our issue tracker [4] or
> via email to the authors.

Hello Jakob and Patrik.  Some comments as requested.

The introduction lists 8 areas of interest.  All, except "7. Name
Server" have their own section in the table of contents.  Oversight?

This sentence is awfully confusing:

  Many requirements in this document deal with the properties of a
  nameserver that is used as part of a delegation, therefore the
  wording mentioning the use of a name server as part of this is
  omitted.

First there is nameserver, then name server as two words.  Which is
it?  More importantly, I'm not quite sure what is being said here.  Can
you perhaps rewrite, elaborate or provide an example?

You may be interested to know that I recently submitted a draft on DNS
over TCP operational requirements.  If that work progresses as I hope,
it might help with section 4.2 of your draft.

The consistency requirements might be too strict, since it applies all
zone data.  While reasonable people might fret about inconsistency when
things like "views", "geo-location", client-subnet and so on are in
use, it might be best to limit consistency requirements to the
infrastructure records (e.g. SOA, NS).

Additionally, I could imagine an argument being made that all names
need not respond with the same NS RRset.  While generally this
delegation or authority list inconsistency is often indication of a
problem, it is feasible that it might be intentional and may even
provide some advantage.  The so-called "fast flux" invention by the
miscreants taught us that.

Suggesting that name servers be the same AS is often unnecessary.  More
important is diversity in the route announcements covering the name
server addresses.  Many might not even be able to easily satisfy this
requirement.

A few additional topics you may wish to consider:

  * delegated name server should be authoritative only (no rd service)
  * ptr names of NS addresses should match the associated A/AAAA names
  * name server should run NTP or equivalent so time is accurate
  * DNS TTLs of the NS and A/AAAA name servers MUST be consistent

John

v2.23.0 | Report a Bug | By Email