Re: [DNSOP] [Ext] WGLC rfc8499bis one week extension for lame delegation definition

Peter Thomassen <> Tue, 02 May 2023 12:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3E7BEC1524BC; Tue, 2 May 2023 05:24:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id j6UhOxM_2uqv; Tue, 2 May 2023 05:24:49 -0700 (PDT)
Received: from ( [IPv6:2a01:4f8:10a:1d5c:8000::8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPS id 83F15C1522D9; Tue, 2 May 2023 05:24:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=20170825; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:Subject:From :References:Cc:To:MIME-Version:Date:Message-ID:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=k8WHmSnQPWZ9hTQAd488SRNMPkwASwXpnYd0VuwUtwU=; b=GsBYeEBObmTYOdfw46OnQKkeQk AzXKpl5wSMgQegZFlzOqAO0098VhGbEXN9qk3A4T1+6oGRUgriaImCi27cMkdlrj2Vbug7E+tF6RV 7Ojg7+TgE8sMk+PHU7nbZ1KTWuLO0307d3vLIFu6j+7VVM3CwZJqUQzLHJ1ZmxBuoWgf9I3Jo3flU 7WqU+C7DOk1lMTWp2lBQqx9SkHR1xkY0D5sZDcwCSiwhekPWl2vQfme5txONS5AK0XJi3jdJVg5h8 FDZ31smoCQgOlhcjcRXkTs4jQ67bfp5S7sm6QLCAbSUGLl8WtaWZ/WhE63v7WlEinUeCfVDhFSfw4 nTcZSTXg==;
Received: from ([] helo=[]) by with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from <>) id 1ptp3j-00Fx4f-F7; Tue, 02 May 2023 14:24:43 +0200
Message-ID: <>
Date: Tue, 02 May 2023 14:24:42 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0
Content-Language: en-US
To: Paul Vixie <>, Joe Abley <>
References: <> <> <> <> <> <>
From: Peter Thomassen <>
In-Reply-To: <>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [DNSOP] [Ext] WGLC rfc8499bis one week extension for lame delegation definition
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 02 May 2023 12:24:54 -0000

On 5/1/23 23:22, Paul Vixie wrote:
> to be a lame _delegation_ means some error or misconfiguration in the server. normally this means it's supposed to be authoritative but the zone expired or the operator forgot or similar.

This, so far, was my understanding of the definition that was given in the other thread, and which Benno labeled (2) in the original post of this thread:

    "A lame delegation is said to exist when one or more authoritative
    servers designated by the delegating NS RRset or by the child's apex
    NS RRset answers non-authoritatively [or not at all] for a zone".

... without the "or not at all" part (so, an answer is required for "lameness").

> or there is no server there any more (it was decomm'd or renumbered). icmp host-unreach or port-unreach would be symptoms of that, if you can hear them.

"Responses" like "unreachable" are not answers in the DNS sense. Are they meant to be included in "answer[ing] non-authoritatively" in the definition above, or is "answers non-authoritatively" restricted to DNS anwers (e.g. REFUSED)?

> if we need more terms let's invent.

Without asking to invent a term if none exists, I'd like to learn how to call a delegation that points to an NS hostname that does not have an address record (verifiably, e.g. denied by a DNSSEC negative response).

Before the discussion, I thought this qualifies as "lame" (because you can tell from the response that there's no DNS service; it's not a timeout), but with the above definition, it can't be called "lame".