IETF Logo Mail Archive

Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional-07 vs. sibling glue

Peter Thomassen <peter@desec.io> Tue, 28 March 2023 12:24 UTC

Return-Path: <peter@desec.io>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 986F5C151553 for <dnsop@ietfa.amsl.com>; Tue, 28 Mar 2023 05:24:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=a4a.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bdQrso7eeUGp for <dnsop@ietfa.amsl.com>; Tue, 28 Mar 2023 05:24:10 -0700 (PDT)
Received: from mail.a4a.de (mail.a4a.de [IPv6:2a01:4f8:10a:1d5c:8000::8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9B55C15154D for <dnsop@ietf.org>; Tue, 28 Mar 2023 05:24:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=a4a.de; s=20170825; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:Subject:From :References:To:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=s6jyw67+QwL/SYE5XyO9zYwf3J8mpYSLNsOaz905xqM=; b=ysRWzI+unMxza14KDz/dy9wJyk cFqwKJ8lnahjaCr4l5zNbFglOgZgqs54OqNdTCfZ+/XMPddJaNaCkoIp0YWX6run2Amy0d+4Rsd39 stFq74hmJlNqEQ9do9WPwU/l8BklUjE7AlDCEdaQ8T9sX/Qd3wszAyNDNKTJPWGWGP6LmmGvRNRg0 OUb8tEjUInsKi0AoralN2xqXtqFGeqpo4LfGXExP5VzcmnLFkgjrVy++K94MQZh8nFmJTgasBe0Pi F4IiRFAwurQEa/4ViSpKpfV2m7AqQmcf43UlxSBW58BAwBYmuW4EM8LUh8ynJ+9gNA9Ie6K1y1+TX mGjmIKrg==;
Received: from [90.187.67.221] (helo=[192.168.188.94]) by mail.a4a.de with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from <peter@desec.io>) id 1ph8Mx-00Bxy7-8F for dnsop@ietf.org; Tue, 28 Mar 2023 14:24:07 +0200
Message-ID: <9743fe5f-dc3b-1241-cd2d-96649939adf6@desec.io>
Date: Tue, 28 Mar 2023 14:24:06 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.9.0
Content-Language: en-US
To: dnsop@ietf.org
References: <166433321065.7033.7906557321120388211@ietfa.amsl.com> <a124badc-7723-904f-3716-6be2a121360@nohats.ca> <Y+7jR1ouKD6w8V49@straasha.imrryr.org> <Y/RXcLmPouKn5DJW@straasha.imrryr.org> <920A70B5-EF6F-463D-B62B-BC29C4C0210D@fl1ger.de> <CAHPuVdW-mA=M+zh1nvRKr12w5wnxG2+bL0Vbc52DwRykare+Ng@mail.gmail.com> <ZCHkFGDj0CrEx3o1@straasha.imrryr.org> <CAHPuVdUY+eUmeWw8x+yfbTSxr4aavzxtuEqKGEoB=gpVhLR1gg@mail.gmail.com>
From: Peter Thomassen <peter@desec.io>
In-Reply-To: <CAHPuVdUY+eUmeWw8x+yfbTSxr4aavzxtuEqKGEoB=gpVhLR1gg@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/WOYKiiY00FnVcIpnuiXsdraENd8>
Subject: Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional-07 vs. sibling glue
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2023 12:24:14 -0000


On 3/28/23 03:14, Shumon Huque wrote:
> On Tue, Mar 28, 2023 at 3:45 AM Viktor Dukhovni <ietf-dane@dukhovni.org <mailto:ietf-dane@dukhovni.org>> wrote:
> 
>     On Wed, Mar 01, 2023 at 04:27:31PM -0500, Shumon Huque wrote:
>     Can we at least state that domains with cyclic dependencies are a bad
>     idea, and may not be supported by all resolvers.  In other words, that
>     the domain owner can't **rely** on the sibling glue recommended to be
>     sent in this draft to save the day.
> 
>     My strong preference is still to delete all reference in the draft to
>     cyclic dependencies (i.e. not enshrine bad practice).  Which leaves
>     sibling glue primarily as a performance optimisation, and secondarily
>     as a last resort when the nameserver IP addresses are wrong or gone
>     from the authoritative zone (another bad practice).
> 
> 
> Viktor - I've so far not seen many other people speak up in support of your
> position. I suspect this is because this draft was discussed to death many
> months ago during long discussion threads on the list, and there is likely
> already rough consensus for the current content. Personally, I would be ok
> with adding a statement that configurations involving cyclic dependencies
> are not recommended, but others will likely have to also speak up in support
> of this too.

I support adding such a statement about cyclic dependencies.

In addition, I would support saying that data suggests that, while (non-cyclic) glue records may have a benefit in certain cases, they frequently are a source of harm (time-outs), and the trade-off remains unclear.

FWIW, I hold this opinion because I find Viktor's numbers pretty convincing. However, as I've never operated a resolver, I'm convinced solely based on what I've read (to the best of my ability), not based on what I've experienced. Others' first-hand experience may be more material.

~Peter

v2.23.0 | Report a Bug | By Email