IETF Logo Mail Archive

Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional-07 vs. sibling glue

Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 13 March 2023 23:03 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11028C13AE4C for <dnsop@ietfa.amsl.com>; Mon, 13 Mar 2023 16:03:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BPmQU1nuUYAT for <dnsop@ietfa.amsl.com>; Mon, 13 Mar 2023 16:03:10 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D810C13AE43 for <dnsop@ietf.org>; Mon, 13 Mar 2023 16:01:51 -0700 (PDT)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 0D92D112A3E; Mon, 13 Mar 2023 19:01:51 -0400 (EDT)
Date: Mon, 13 Mar 2023 19:01:51 -0400
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dnsop@ietf.org
Message-ID: <ZA+rX+5JfSLzkdNC@straasha.imrryr.org>
Reply-To: dnsop@ietf.org
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAHPuVdW-mA=M+zh1nvRKr12w5wnxG2+bL0Vbc52DwRykare+Ng@mail.gmail.com> <a3e3fa66-fbb5-3162-e2cd-30ba13112803@necom830.hpcl.titech.ac.jp>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/QEDircrWrTrIOg6M_TSvOMlI5Bw>
Subject: Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional-07 vs. sibling glue
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Mar 2023 23:03:15 -0000

On Fri, Feb 17, 2023 at 01:55:40PM +0900, Masataka Ohta wrote:

> Viktor Dukhovni wrote:
> 
>  > The draft states that in rare cases sibling glue could be useful, as a
>  > result of cyclic dependency loops.
> 
> Interesting. Such dependency existed between two TLDs (IIRC
> "edu" and "org") 20 or 30 years ago and I thought and still
> think there are redundancy issues.
> 
> That is, the example in the draft is insufficient and, at least, the
> following should be an additional example:
> 
>     bar.test.                  86400   IN NS      ns1.foo.test.
>     bar.test.                  86400   IN NS      ns2.foo.test.
> 
>     foo.test.                  86400   IN NS      ns1.foo.test.
>     foo.test.                  86400   IN NS      ns1.bar.test.
>     foo.test.                  86400   IN NS      ns2.bar.test.
> 
> in which case, without sibling glue, if ns1.foo.test goes down, name
> resolutions of both zones become impossible, which should not satisfy
> minimum required redundancy of DNS.

This is a very weak argument, because the two domains need not be in the
same TLD, and then sibling glue never happens.  The sibling glue IMHO
accomodates corner cases that are marginal to careless.

> >      In late 2021 the authors analyzed zone file data available from
> >      ICANN's Centralized Zone Data Service [CZDS] and found 222 out of
> >      approximately 209,000,000 total delegations that had only sibling
> >      domain NS RRs in a cyclic dependency as above.
> 
> "only sibling domain NS RRs"?
> 
> If my examples above are considered, there should be more cases.

And yet, because it is particularly badly maintained, the overall
effect is IMHO negative.

On Wed, Mar 01, 2023 at 04:27:31PM -0500, Shumon Huque wrote:

> The cyclic dependency based sibling glue (Section 2.3) is arguably a
> bit of a corner case, and in past discussions some folks have
> expressed the view that we shouldn't make accommodations to support
> it. I think I can agree with that, but there were opposing views that
> we also shouldn't break configurations that currently work. So it was
> left in.

Sure, a parent domain *may* serve sibling glue if it so chooses, but I
would not lump it in with a "glue is not optional" RFC.  This gives
sibling glue too much "weight", and sets expectations that it SHOULD
be used when provided, but I'd be inclined to downplay its importance,
and any expectation that it will save the day when all else fails.

> The case of normal (non-circular) sibling glue, described in Section
> 2.2 is in my opinion useful though, and also extremely common - where
> it isn't necessarily required for resolution but allows resolvers to
> obviate additional follow-on queries (to the same servers) to obtain
> the sibling glue.  Previous lengthy discussions on this topic indicate
> a consensus to retain them, but not mandate their inclusion (or set
> TC=1 if message size limits are exceeded).

Can we leave its availability and treatment as *unspecified*?  I don't
have a rock solid case for never sending it, but I do think we'd be
better of if as little as possible of it were in fact provided and as
few as possible relied on it.

> Note that this document does not place any requirements on DNS
> resolvers, so if a resolver implementer chooses to, they can ignore
> sibling glue in referral responses, and/or explicitly fetch them.

And so my take is that it is in fact "optional".

-- 
    Viktor.

v2.23.0 | Report a Bug | By Email