IETF Logo Mail Archive

Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional-07 vs. sibling glue

Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 27 March 2023 18:44 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D562C1522CD for <dnsop@ietfa.amsl.com>; Mon, 27 Mar 2023 11:44:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6B1J2SNH85dZ for <dnsop@ietfa.amsl.com>; Mon, 27 Mar 2023 11:44:38 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91C83C1522CB for <dnsop@ietf.org>; Mon, 27 Mar 2023 11:44:37 -0700 (PDT)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id CB26A11A045; Mon, 27 Mar 2023 14:44:36 -0400 (EDT)
Date: Mon, 27 Mar 2023 14:44:36 -0400
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dnsop@ietf.org
Message-ID: <ZCHkFGDj0CrEx3o1@straasha.imrryr.org>
Reply-To: dnsop@ietf.org
References: <166433321065.7033.7906557321120388211@ietfa.amsl.com> <a124badc-7723-904f-3716-6be2a121360@nohats.ca> <Y+7jR1ouKD6w8V49@straasha.imrryr.org> <Y/RXcLmPouKn5DJW@straasha.imrryr.org> <920A70B5-EF6F-463D-B62B-BC29C4C0210D@fl1ger.de> <CAHPuVdW-mA=M+zh1nvRKr12w5wnxG2+bL0Vbc52DwRykare+Ng@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAHPuVdW-mA=M+zh1nvRKr12w5wnxG2+bL0Vbc52DwRykare+Ng@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/OUg2gNtcUnJEhbhNvOOcoL-anIs>
Subject: Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional-07 vs. sibling glue
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Mar 2023 18:44:39 -0000

On Wed, Mar 01, 2023 at 04:27:31PM -0500, Shumon Huque wrote:

> > These “rare” cases where the domain is not resolvable when a glue is not
> > present are the ones this draft is done for. So did you look how rare
> > they were in your dataset? Being able to resolve instead of not resolving
> > IMHO has value even if the number is not big.
> >
> > We all know that a lot of data in the DNS is garbage, that should not
> > stop us from using the good data.
> 
> The cyclic dependency based sibling glue (Section 2.3) is arguably
> a bit of a corner case, and in past discussions some folks have expressed
> the view that we shouldn't make accommodations to support it. I
> think I can agree with that, but there were opposing views that we also
> shouldn't break configurations that currently work. So it was left in.

Can we at least state that domains with cyclic dependencies are a bad
idea, and may not be supported by all resolvers.  In other words, that
the domain owner can't **rely** on the sibling glue recommended to be
sent in this draft to save the day.

My strong preference is still to delete all reference in the draft to
cyclic dependencies (i.e. not enshrine bad practice).  Which leaves
sibling glue primarily as a performance optimisation, and secondarily
as a last resort when the nameserver IP addresses are wrong or gone
from the authoritative zone (another bad practice).

What should really happen is that broken sibling glue should be
regularly purged from public suffix registries (probably requires
gaining support for this in the RRR community more than IETF), and only
then does the remaining valid sibling glue become more of a help than a
hindrance.

- Please, if at all possible, drop the cyclic dependency anti-pattern from the draft.

- The "right" justification for sibling glue (in the minority of cases
  that is is valid, by domain cardinality, though admittedly perhaps not
  a minority by query volume) is then lower latency/cost to reach a
  usable server.

-- 
    Viktor.

v2.23.0 | Report a Bug | By Email