Re: [DNSOP] Bailiwick discussion for draft-ietf-dnsop-rfc8499bis
Paul Wouters <paul@nohats.ca> Wed, 06 October 2021 19:04 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B18E73A07A5 for <dnsop@ietfa.amsl.com>; Wed, 6 Oct 2021 12:04:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xT9zMVUbw-AT for <dnsop@ietfa.amsl.com>; Wed, 6 Oct 2021 12:04:49 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.135]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B52E3A07A3 for <dnsop@ietf.org>; Wed, 6 Oct 2021 12:04:48 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4HPkR12yLRzKHT; Wed, 6 Oct 2021 21:04:45 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1633547085; bh=lMDslL1LKquLvAEoTfw3MOA662W0eR3SnA2FGsKY0uU=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=apA53OA+yFUiIztbQxiGUtFDE7AMtcy3ls2g/y5jJQMfZer9Bmc5VO7nvTm497KKX mDc/wdFrisIsN2WBtbj27NKHB0Pfu26LSSFt4YsIno2CC2Pu+eEtoTyAjjn+ONKMIh GltaG3OCE1xnM86SDZRxHgMuswSwM10qIl3qdXNU=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 0mVW2PpzRJid; Wed, 6 Oct 2021 21:04:42 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 6 Oct 2021 21:04:42 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 3BDE51205D5; Wed, 6 Oct 2021 15:04:41 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 38E311205D4; Wed, 6 Oct 2021 15:04:41 -0400 (EDT)
Date: Wed, 06 Oct 2021 15:04:41 -0400
From: Paul Wouters <paul@nohats.ca>
To: Paul Hoffman <paul.hoffman@icann.org>
cc: dnsop <dnsop@ietf.org>, Tony Finch <dot@dotat.at>
In-Reply-To: <B08E9361-B97B-4862-861C-4EF628C85E50@icann.org>
Message-ID: <bb61304c-6ef9-7850-3dbb-19b624bc07b@nohats.ca>
References: <B08E9361-B97B-4862-861C-4EF628C85E50@icann.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/QwhkSDCH3qfxTCeKAn2dZEoeJp0>
Subject: Re: [DNSOP] Bailiwick discussion for draft-ietf-dnsop-rfc8499bis
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Oct 2021 19:04:55 -0000
On Wed, 6 Oct 2021, Paul Hoffman wrote:
> Greetings again. I think that all of the issues from the WG on draft-ietf-dnsop-rfc8499bis have been dealt with, except one significant one. Almost a year ago, Tony Finch started a thread about 8499's definitions of bailiwick and sibling glue. The thread is
> <https://mailarchive.ietf.org/arch/msg/dnsop/5bKXkqzCyGE1NuUko9M6wXLD5bI/>
> <https://mailarchive.ietf.org/arch/msg/dnsop/fAopdUTnVS2mDF71eiGsRdu9zco/>
> <https://mailarchive.ietf.org/arch/msg/dnsop/PqH_WMhsP5zxRfjKD4gtmf6nw54/>
>
> The WG should come to agreement on this so that we can close out the document. Please read these messages and comment here about changes you do or don't want to be made to the current draft.
The suggestion by Tony Finch:
* Sibling zones: two zones whose delegations are in the same
parent zone.
* Sibling glue: addresses of nameservers that are in a sibling zone.
I agree with the above part. But the next part I do not agree with:
Sibling glue is usually the glue that the DNS would require for that
sibling zone, but in some cases the requirement lies elsewhere, for
example
one.example. NS nsa.two.example
one.example. NS nsb.two.example
two.example. NS ns0.two.example
two.example. NS ns1.two.example
The DNS protocol does not require sibling glue for the one.example
nameservers, though glue addresses might be required by .example
registry policy.
I find the talk about "in the DNS protocol" and pulling in "registry
policy" confusing and unneeded.
As a seperate problem in the 2nd references email, I agree that the
term "in-bailiwick" probably changed meaning from "within this
delegation or below" to "the data related to this delegation". Eg
when processing additional records, "in-bailiwick" is interpreted
as "needed for completing DNS resolution for all NS entries in this
delegation" and could be RRs from other TLDs and their dependencies.
For example, in this updated meaning, the A record for ns0.nohats.ca
is "in-bailiwick" to libreswan.org and a resolver could add the A
record for ns0.nohats.ca (and/or DNSKEY etc) to an answer for NS
of libreswan.org. This new use of "in-bailiwick" seems more common
too when thinking of resolver to stub and DNSSEC validation, eg
with chain-query and tls-dnssec-chain. Possible this dual use let
to the new term "in-domain" ?
As for the third message quoted, I do not agree that "in-bailiwick is
a property of a nameserver". I believe it is a term related to the
NS/A records of the QNAME, not of a nameserver.
Paul
- [DNSOP] Bailiwick discussion for draft-ietf-dnsop… Paul Hoffman
- Re: [DNSOP] Bailiwick discussion for draft-ietf-d… Tim Wicinski
- Re: [DNSOP] Bailiwick discussion for draft-ietf-d… Paul Wouters
- Re: [DNSOP] Bailiwick discussion for draft-ietf-d… Brian Dickson
- Re: [DNSOP] Bailiwick discussion for draft-ietf-d… John Levine
- Re: [DNSOP] Bailiwick discussion for draft-ietf-d… Tony Finch
- [DNSOP] Another attempt at consensus on the baili… Paul Hoffman
- Re: [DNSOP] Bailiwick discussion for draft-ietf-d… Vladimír Čunát
- Re: [DNSOP] Another attempt at consensus on the b… Wessels, Duane
- Re: [DNSOP] Another attempt at consensus on the b… Paul Vixie
- Re: [DNSOP] Another attempt at consensus on the b… Brian Dickson
- Re: [DNSOP] Another attempt at consensus on the b… Joe Abley
- Re: [DNSOP] Another attempt at consensus on the b… Ben Schwartz
- Re: [DNSOP] Another attempt at consensus on the b… Wessels, Duane
- Re: [DNSOP] Another attempt at consensus on the b… Tim Wicinski
- Re: [DNSOP] Another attempt at consensus on the b… George Michaelson
- Re: [DNSOP] Another attempt at consensus on the b… Paul Wouters
- Re: [DNSOP] Another attempt at consensus on the b… Mukund Sivaraman
- Re: [DNSOP] Another attempt at consensus on the b… Ben Schwartz
- Re: [DNSOP] Another attempt at consensus on the b… Wessels, Duane
- Re: [DNSOP] Another attempt at consensus on the b… Paul Vixie