Re: [DNSOP] partial glue is not enough, I-D Action: draft-ietf-dnsop-glue-is-not-optional-00.txt

Mark Andrews <marka@isc.org> Thu, 02 July 2020 01:33 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32C523A0039 for <dnsop@ietfa.amsl.com>; Wed, 1 Jul 2020 18:33:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bwGeWpluBugr for <dnsop@ietfa.amsl.com>; Wed, 1 Jul 2020 18:33:17 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D69053A0033 for <dnsop@ietf.org>; Wed, 1 Jul 2020 18:33:17 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 7EDA03AB00B; Thu, 2 Jul 2020 01:33:17 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 5A6A616005C; Thu, 2 Jul 2020 01:33:17 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 3A977160064; Thu, 2 Jul 2020 01:33:17 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id UhzzJAefS9YN; Thu, 2 Jul 2020 01:33:17 +0000 (UTC)
Received: from [172.30.42.68] (unknown [49.2.101.160]) by zmx1.isc.org (Postfix) with ESMTPSA id 6959E16005C; Thu, 2 Jul 2020 01:33:16 +0000 (UTC)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.5\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <20200702011816.D4B0D1C3CD10@ary.qy>
Date: Thu, 2 Jul 2020 11:33:12 +1000
Cc: dnsop@ietf.org, paul@redbarn.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <9F429E1D-12D9-472F-810B-7A03548C3473@isc.org>
References: <20200702011816.D4B0D1C3CD10@ary.qy>
To: John Levine <johnl@taugh.com>
X-Mailer: Apple Mail (2.3445.9.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/TUdvePBAwtDdlfyWtOh-vtxbquY>
Subject: Re: [DNSOP] partial glue is not enough, I-D Action: draft-ietf-dnsop-glue-is-not-optional-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jul 2020 01:33:19 -0000


> On 2 Jul 2020, at 11:18, John Levine <johnl@taugh.com> wrote:
> 
> In article <9056955.dJ39pTEj9z@linux-9daj> you write:
>> On Wednesday, 1 July 2020 09:41:49 UTC Jan Včelák wrote:
>>> We just opened this discussion internally at NS1 because we serve some
>>> zones with more than 10 NS records where each NS requires glue and our
>>> proprietary server by design adds glue only for the first four NS
>>> records. We are discussing if this is correct behavior if it needs to
>>> be revisited.
>> 
>> i think if you're using round robin or random selection, a subset is fine. if 
>> we had to codify this practice, i'd ask that at least two address records of 
>> each available kind be included (so, two AAAA's, two A's) or else set TC=1.
> 
> I really don't like this. If you do that, you're going to have
> failures when there are working servers but none of their addresses
> happen to be in the glue subset in the response, and without TC=1
> there's no hint that there's more glue if you retry.
> 
> If a response with TC=1 has at least one record in the additional
> section, that tells the client that the missing records are all glue.
> So I think it would be OK in that case for the client to use what it's
> got, but remember that if it can't contact any of the NS with the
> A/AAAA it's got, it can go back and get the rest.
> 
> Remember, if it's glue, there's no other way to get it. If it's worth
> returning glue at all, it's worth providing all of it.

BIND sets TC=1 if a query for the address of a nameserver came in and
that was the only way to return the addresses after sorting to the start
of the additional section is to go to TCP.  This was done to reduce
fallback to TCP otherwise referrals to NET from the root servers would always
require TCP for non-EDNS clients.  That said it is much cleaner to just return
all the available glue.

Recursive servers need to be able to cope with glue expiring before referral
NS record.  The question is how complicated should that dance be.  BIND will
ask the parent for the addresses of every NS but it requires a lot of traffic.

Someone earlier asked about sibling vs required glue.  I would set TC=1 for
both.

Mark

> R's,
> John
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org