Re: [DNSOP] I-D Action: draft-ietf-dnsop-glue-is-not-optional-02.txt

Joe Abley <> Wed, 28 July 2021 18:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 75BAF3A1B2A for <>; Wed, 28 Jul 2021 11:27:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XvissiD6cNTO for <>; Wed, 28 Jul 2021 11:27:43 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::82b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1378D3A1B19 for <>; Wed, 28 Jul 2021 11:27:42 -0700 (PDT)
Received: by with SMTP id d9so2022927qty.12 for <>; Wed, 28 Jul 2021 11:27:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=3mLGzsxe1uQQd3DH8DpiVcAvXlgZ4jUzc847ZGhJXpk=; b=otnPo1zc4rJJq0P0yC9vQ2HRFddrN4754nsKGtd9YlDt/uhVdFjEiXGfM3aRCeRggA aPNI+8pxXsO1U7btZRxr8RwcFJf8+KRaeATrq52FigROk9uP5Kr4aqqqRFH5uIXtV3wH +gUN+nar/dZCHKlYW7ZKfktTakFzMqUmdYjMw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=3mLGzsxe1uQQd3DH8DpiVcAvXlgZ4jUzc847ZGhJXpk=; b=qwgY9A8708qItTdLQDSk2OcAqKFRNmHe1GJqtRBa/IBGvYhOljDnzst+X1VgndxW/p unPMsRncjVYa5VpyYqipL1QaeJIFG5Dv0jPE7zd/S0Zu3zcORPg4yJZBqLxqdElMTNau jPBZ64STouJFxxb1X+im+X2QlpG9E31AOgSbz38DqhyMmxZhVCiXQ3RyKe7BlaUi52qk yPbCsqTMo6xFygJRdVOl688OlS3N+zdKHnJ59qxsrgKerqV8YkURRdrDDSVcSzTWFz8P yctv6tgoVKmg5lzManhIsVR+AJIjdkYkIaiVtUE0kSRjA3RIL73o/hhA61CCdbIYAke8 YCbA==
X-Gm-Message-State: AOAM532r5BZ0+kiU6mxLR2xZzihTiJIVGjhyGK+LYMTIkkl7Lw3NQstm Xt0L0ZA2npHLHjpJzuG8eTZsXnYbosrSJqr2dhQ=
X-Google-Smtp-Source: ABdhPJyOrnbwPwxXtnulaKunda8jWTt4yVmVKe4iZqIlGmEMVwnewaDaNDdH2RtZga9vc4tFP3uz5A==
X-Received: by 2002:a05:622a:1a9f:: with SMTP id s31mr804987qtc.151.1627496860102; Wed, 28 Jul 2021 11:27:40 -0700 (PDT)
Received: from ([2607:f2c0:e784:c7:81d7:791a:2c95:26a2]) by with ESMTPSA id t64sm397183qkd.71.2021. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 28 Jul 2021 11:27:39 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
From: Joe Abley <>
Mime-Version: 1.0 (1.0)
Date: Wed, 28 Jul 2021 14:27:38 -0400
Message-Id: <>
References: <>
Cc: dnsop <>
In-Reply-To: <>
To: Paul Wouters <>
X-Mailer: iPad Mail (18G82)
Archived-At: <>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-glue-is-not-optional-02.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 28 Jul 2021 18:27:50 -0000

On Jul 28, 2021, at 14:00, Paul Wouters <> wrote:

> If the zone example contains amongst other content:
> foo.example. IN NS
> foo.example. IN NS
> IN A
> IN A
> Then for the DNS server returning an NS query for foo.example, it is
> easy to either:
> 1) return's A record
> or
> 2) return and A records`
> What is harder to do is determining whether it should or should not
> include's A record based on whether it is "needed" or
> not, as there are various kinds of loops possible.

So your assumption is that it's easier to return all possible glue for every nameserver in the delegation set than it is to return glue for just that subset that are subordinate to the zone cut.

Perhaps this is a good opportunity to let actual implementers let us know what is what.

>> I don't see where the "extra CPU power" you are talking about comes from.
> To determine if the glue you know you have is "needed or not".

As I said, it seems to me that this is absolutely knowledge that you can gain at load time and it's not necessary to wait until response time to do the work. So I think the CPU consumption argument is not especially persuasive. However, I am not an implementer.

Regardless, it does seem to me that glue for nameservers that are subordinate to the zone cut is the MUST and other glue is at best a MAY.