Re: [DNSOP] RFC 1035 vs. mandatory NS at apex?

Joe Abley <> Fri, 08 February 2019 02:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7C7E2130E25 for <>; Thu, 7 Feb 2019 18:16:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hFzJRCoSx0p5 for <>; Thu, 7 Feb 2019 18:16:51 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::741]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9EE471274D0 for <>; Thu, 7 Feb 2019 18:16:51 -0800 (PST)
Received: by with SMTP id f196so779181qke.10 for <>; Thu, 07 Feb 2019 18:16:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=ERETKD1ziwDuWkFe6o2KXa3XnNlTFMDoUhzJlSZIsfI=; b=R09RCXqJ/t5YFw/Trhzclhik7nfxlqz/JnwFmc+5E2NnKnAuiL+YVNsxdgUdK2Cccb gfWALxDIMRj/zkE9KS0oCisZMU1AnW5/n0hodaOxNX/kC4/LDYCVrPFiX1tKIAMnzm3b c+dbOn3wQUsbu8Jh7+SBMR0j/yuOIUyKu/48g=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=ERETKD1ziwDuWkFe6o2KXa3XnNlTFMDoUhzJlSZIsfI=; b=Po6pDkYnPJ3QCr6RRZ4Cl+c5b0g6MSwBdFbsukzlAaxM4xCb9AHUJ9bfzZahUayxlS i+hL0xvmnE0+AeMxcdEMxSoffqaxYgxG0vlAxp3boJNs0qqypY8lVth1R6PE+OQx/a79 McEy//iuHXfRCBTFhrHwDIJFjeNhfLFVQL8tEIG9obpULYF2c4dpgyN8W4uUS8TDe1Pt Htn6HOaTODFUVSkOanAge2mKx4ItYMP9T3i3hB2w/ptmxVw4hyFXlTGRLKf4iunF30T2 0RmDxRIacEsqQ8VnE2qqjANcPCRI0P4GDtov7zosRSDQD3ZoqRG0ngSyFzVrD/7SGRzd YtDg==
X-Gm-Message-State: AHQUAuYUkoR6jziP31mDtUIlTwUlBVUuFA9m/E/bmAAYKV2cqLjun0As HpQA5RqkgVeqLk6fMjuQ5JTyAg==
X-Google-Smtp-Source: AHgI3IZQUSrfwzoRbwS4wj7OXBBlZ9iaRfLtVNCjrrLIuBIDi4VY1zHzG2eNq94jwEgxyEvo33w5LA==
X-Received: by 2002:a37:657:: with SMTP id 84mr13429556qkg.86.1549592210575; Thu, 07 Feb 2019 18:16:50 -0800 (PST)
Received: from [] ( []) by with ESMTPSA id e35sm687467qte.8.2019. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 07 Feb 2019 18:16:49 -0800 (PST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
From: Joe Abley <>
In-Reply-To: <>
Date: Thu, 7 Feb 2019 21:16:48 -0500
Cc: Masataka Ohta <>,
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <> <> <> <>
To: Mark Andrews <>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <>
Subject: Re: [DNSOP] RFC 1035 vs. mandatory NS at apex?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 08 Feb 2019 02:16:53 -0000

On 7 Feb 2019, at 21:06, Mark Andrews <> wrote:

> On 8 Feb 2019, at 12:53 pm, Joe Abley <> wrote:
>> Ohta-san,
>> On 7 Feb 2019, at 18:28, Masataka Ohta <> wrote:
>>> Petr Spacek wrote:
>>>>   5. At least one NS RR must be present at the top of the zone.
>>> At least two.
>> With respect, I think the protocol requirement is at least one, not at least two.
>> I think best current practice is to avoid single-points of failure with the set of servers used to provide authoritative answers, and I agree that in many cases this is codified in user interfaces and registry policy as requiring two NS RRs. However, there is no shortage of such multiple RRs that refer to a single subnet or even a single instance of a nameserver process (so "at least two" is sometimes insufficient), and its perfectly possible to use anycast or both A and AAAA RRs attached to a single nameserver name that provide useful much more useful diversity than those degenerate two-NS implementations (so "just one" could in some circumstances be adequate).
> A single anycast server DOES NOT and never can provide diversity from the client’s perspective.
> Additionally multiple servers in the same /24 (IPv4) or same /48 (IPv6) should be treated as a
> single server for diversity testing as these are accepted longest accepted prefixes.

That depends on what you mean by "server" and how things are provisioned. It's not 1981 and there are many valid approaches for the removal of the outer feline layers.

I'll suggest that while recommendations and guidance about formulating a risk analysis are valuable outputs for this working group, absolute and broad statements are bet viewed with suspicion. No individual, no matter how well-informed and well-intentioned, can possibly know with certainty the complete situation of every relying party.

I think it's best for this working group to stick to what it's good at.