IETF Logo Mail Archive

Re: [DNSOP] AD Review of draft-ietf-dnsop-rfc8109bis

Mark Andrews <marka@isc.org> Thu, 01 February 2024 01:17 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B2C8C14F6AE; Wed, 31 Jan 2024 17:17:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.408
X-Spam-Level:
X-Spam-Status: No, score=-4.408 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="oHM6yqXS"; dkim=pass (1024-bit key) header.d=isc.org header.b="f2imz9qX"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fMZj-KQFMGov; Wed, 31 Jan 2024 17:17:04 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.2.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C427BC14F69A; Wed, 31 Jan 2024 17:17:03 -0800 (PST)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.2.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 7987D3AB1A7; Thu, 1 Feb 2024 01:17:03 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org 7987D3AB1A7
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.2.31
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1706750223; cv=none; b=KH8lqsYl6FSPXcNum0Ec7fuC77jjOYYwZrYz0Aej+yTrA4yaeGPkPS2OqTovkgDFrqJ6R5lzcxWjFmWpFirUP3AGi9292O3AwjOqjwgloNPRYsTbE/YUacd0t6h82kUNh9BGIviuZ0W6lBdVKH7XoCS8LK4v58jq/krejQ1eSHU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1706750223; c=relaxed/relaxed; bh=UZ/ejvEwungG/VM4QWPYZsZcYlcO3aNJDXAHPgz/zFY=; h=DKIM-Signature:DKIM-Signature:Mime-Version:Subject:From:Date: Message-Id:To; b=aq7rQ5sSAFxJzLL8Vn7G3uSR9SyTGEHgdLxt1Aim3XoK7cIXN59NoeGmBgJj7mB5lx5aQa4ZgRDAheunnLJFhw0VJzpw3Ly5mxuOKais66MTmCAcfbnK8+O+uE/R8YXBOdGMLVC5TjodCXH1tPes/KiLUzLsYYxuNuTdbKGQl5Y=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org 7987D3AB1A7
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1706750223; bh=CQMW0rI2P5+XYQ59fR1AKdniPpfpIpmy21MSQZE5e10=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=oHM6yqXS7kVfCeyeXjYCjSuP1099yF5ib3wxxkPSnCT4w1VRK/yyJPE8Wk959wP88 GFG8KNi0olhRtBgW7L/v+Js2rD0f9Ewyi0pmfZEIY6mk/TkU+hWenUjr//hl3xZ5Jl l1S5ZoYxnYTdtQy9Pnx0GW9xOMaPEYpTFnzQQlQo=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id 76867DE667B; Thu, 1 Feb 2024 01:17:03 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 5466BDE669C; Thu, 1 Feb 2024 01:17:03 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 5466BDE669C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1706750223; bh=UZ/ejvEwungG/VM4QWPYZsZcYlcO3aNJDXAHPgz/zFY=; h=Mime-Version:From:Date:Message-Id:To; b=f2imz9qXfNdEcZCeEJgWBkpm9n3o5e35gKxWT808Jajx/9tnShAVATNJfPtFKHlD5 zOR6wzUn8OO6zlE9ZYTtOxmlgDt6Honu271uxlwJRUhwuo/jFc28knJuizYWbJ9DtD TTvTJvcShn1kus656ldakphEe12KIwgrBxQuo7xQ=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavis, port 10026) with ESMTP id 0joZFZt85suP; Thu, 1 Feb 2024 01:17:03 +0000 (UTC)
Received: from smtpclient.apple (n49-187-27-239.bla1.nsw.optusnet.com.au [49.187.27.239]) by zimbrang.isc.org (Postfix) with ESMTPSA id 8C714DE667B; Thu, 1 Feb 2024 01:17:02 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6.1.1\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <CAHw9_iL0+sA=8aT2iq68v5yr6491NE0bnuwtckgmSqUG=F7+1A@mail.gmail.com>
Date: Thu, 01 Feb 2024 12:16:50 +1100
Cc: draft-ietf-dnsop-rfc8109bis.all@ietf.org, dnsop <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <34CBE7A2-9BC2-441C-BA65-5C1B5C483F26@isc.org>
References: <CAHw9_iL0+sA=8aT2iq68v5yr6491NE0bnuwtckgmSqUG=F7+1A@mail.gmail.com>
To: Warren Kumari <warren@kumari.net>
X-Mailer: Apple Mail (2.3731.700.6.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/SmBcTrXIUTKxBeAhKYzsedfGi7w>
Subject: Re: [DNSOP] AD Review of draft-ietf-dnsop-rfc8109bis
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Feb 2024 01:17:08 -0000


> On 1 Feb 2024, at 06:38, Warren Kumari <warren@kumari.net> wrote:
> 
> Hi there, authors (and WG),
> 
> Thank you for this document — I have some questions / comments before I can progress it.
> 
> Firstly, the (presumably) easy one: 
> The document says:
> "This document, when published, obsoletes RFC 8109." - can you add something along the lines of "Section 1.1 contains a list of changes from RFC 8109" or similar….
> 
> Now the harder one…
> Sec 4.2:
> "If some root server addresses are omitted from the Additional section, there is no expectation that the TC bit in the response will be set to 1. At the time that this document is written, many of the root servers are not setting the TC bit when omitting addresses from the Additional section.

Root server address are NOT glue.  Glue only appears in a referral.  The response to "dig NS ." is not a referral. 

Glue is added RFC 1034 4.3.2. Algorithm Step 3b.  Root server addresses are added at Step 6.

Step 3b

[Paragraph one omitted]

Copy the NS RRs for the subzone into the authority
section of the reply. Put whatever addresses are
available into the additional section, using glue RRs
if the addresses are not available from authoritative
data or the cache. Go to step 4.

vs

Step 6

Using local data only, attempt to add other RRs which may be
useful to the additional section of the query. Exit.

This is why the root servers need to have a local copy of root-servers.net.  It’s the data source for those address records.

> Note that [RFC9471] updates [RFC1035] with respect to the use of the TC bit. It says "If message size constraints prevent the inclusion of all glue records for in-domain name servers, the server must set the TC (Truncated) flag to inform the client that the response is incomplete and that the client should use another transport to retrieve the full response."  "
> 
> IMO, this text is confusing….
> It sounds like it is saying "RFC9471 says you must set TC if you truncate the glue. The root server folk are ignoring RFC9471, bad root server folk…"
> 
> I have read the discussion in the WGLC ( inc https://mailarchive.ietf.org/arch/msg/dnsop/wtjuoVqkKmww988Hyq2QDq_nKpA/  and am assuming it was rewritten as "If some root server addresses are omitted from the Additional section…".), but I don't really think that really addresses my concern  — it's easy to miss the subtleties and the "all glue records" vs "some addresses" bit is tricky.
> 
> It's also true that "At the time that this document is written, many of the root servers are not setting the TC bit when omitting addresses from the Additional section." — RFC9471 was only published at the end of September, there is an open BIND bug to update this behavior (I think! - https://gitlab.isc.org/isc-projects/bind9/-/issues/4540 ), and is planned to change in 9.19.x (I think!)
> 
> So,  while what it written is all technically correct[0], the tone feels weird. I think that some of this is because ot the timing of when this and RFC9471 were written. 
> 
> RFC8109 was published 7 years ago, and I'm hoping that rfc8109bis will survive at least that long. 
> 
> I don't know how we address my concern, but it feels like, in e.g 6 years, this text will have aged poorly... 
> Can you see about some more massaging of this text? 
> 
> W
> [0]: The best kind of correct…. 
> 
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email