Re: [DNSOP] DNS Delegation Requirements
"Darcy Kevin (FCA)" <kevin.darcy@fcagroup.com> Tue, 09 February 2016 23:39 UTC
Return-Path: <kevin.darcy@fcagroup.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FA4B1B2FA7 for <dnsop@ietfa.amsl.com>; Tue, 9 Feb 2016 15:39:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J_31xMbHIe0T for <dnsop@ietfa.amsl.com>; Tue, 9 Feb 2016 15:39:29 -0800 (PST)
Received: from shbmap07.extra.chrysler.com (shbmap07.out.extra.chrysler.com [129.9.75.105]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E95B01B2F8E for <dnsop@ietf.org>; Tue, 9 Feb 2016 15:39:23 -0800 (PST)
Received: from odbmap09.oddc.chrysler.com (Unknown_Domain [151.171.137.34]) by shbmap07.extra.chrysler.com (Symantec Messaging Gateway) with SMTP id 02.D4.28752.AA87AB65; Tue, 9 Feb 2016 18:39:22 -0500 (EST)
X-AuditID: 81094b67-f79d16d000007050-ac-56ba78aaf86f
Received: from MXPA1CHRW.fgremc.it (Unknown_Domain [151.171.20.17]) by odbmap09.oddc.chrysler.com (Symantec Messaging Gateway) with SMTP id 4C.62.08139.AA87AB65; Tue, 9 Feb 2016 18:39:22 -0500 (EST)
Received: from mxph3chrw.fgremc.it (151.171.20.47) by MXPA1CHRW.fgremc.it (151.171.20.17) with Microsoft SMTP Server (TLS) id 15.0.1156.6; Tue, 9 Feb 2016 18:39:21 -0500
Received: from mxph4chrw.fgremc.it (151.171.20.48) by mxph3chrw.fgremc.it (151.171.20.47) with Microsoft SMTP Server (TLS) id 15.0.1156.6; Tue, 9 Feb 2016 18:39:21 -0500
Received: from mxph4chrw.fgremc.it ([fe80::cc0c:cb4f:1b3f:2701]) by mxph4chrw.fgremc.it ([fe80::cc0c:cb4f:1b3f:2701%18]) with mapi id 15.00.1156.000; Tue, 9 Feb 2016 18:39:21 -0500
From: "Darcy Kevin (FCA)" <kevin.darcy@fcagroup.com>
To: dnsop <dnsop@ietf.org>
Thread-Topic: [DNSOP] DNS Delegation Requirements
Thread-Index: AQHRYk7Ej91R1ae/DkSoWf1yAzUWN58iPk2AgABI0wCAAAA7kIAAnwCAgAEfXgD//+wNsIAALo7dgAAAdpA=
Date: Tue, 09 Feb 2016 23:39:20 +0000
Message-ID: <884f1c3fc1324a96a3732c942c8a25a3@mxph4chrw.fgremc.it>
References: <3A6EF5A0-928C-4F10-BD68-265DAE87F9A8@kirei.se> <4C7298C1-4331-4953-881F-89C7BB3FED39@fl1ger.de> <CAHw9_iKDcqzW6NQkwyBh933=apjAqCDLKF7O60D5fmLm+PgLkg@mail.gmail.com> <e915c2c6f1b54b0188ee90eb753fbcb7@mxph4chrw.fgremc.it> <CAHw9_iLZfgGFTvjqXWDQvLdUUwpS-Ok3LKKzEbWqtsrQi+w==Q@mail.gmail.com> <C059877D829F76429F49E0B48705D888DDD21B4C@EXCH-01.CORP.CIRA.CA> <cd765f8368da465ea1078e20e77ea06c@mxph4chrw.fgremc.it> <20160209233439.2279C41C190F@rock.dv.isc.org>
In-Reply-To: <20160209233439.2279C41C190F@rock.dv.isc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [151.171.20.218]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrKIsWRmVeSWpSXmKPExsUyfXWnku6qil1hBt/WKVncfXOZxYHRY8mS n0wBjFFcNimpOZllqUX6dglcGfcftjAXrPWp2H3kMFMD4wqbLkZODgkBE4n1bz6xQ9hiEhfu rWfrYuTiEBK4xChx8/VWdpiiL43TmSESJxklFm7dwAiSEBJYyyix5lQCRALInvjoHCOEs4NR 4vXGS2BVbEDtC6/cZQaxRQSkJJ7NesQCYgsLGEisv3mZDSJuKPFq7WsoO0nixf7nYL0sAioS P14vBrN5BZwk3s2bB3XGA2aJ/TvXA93HwcEpYCXR2JsCUsMI9MP3U2uYQGxmAXGJW0/mM0G8 ICCxZM95ZghbVOLl43+sELaBxNal+1ggbCWJ86tvMkL06kgs2P2JDcLWlli28DUzxA2CEidn PmGB+F5Von/tS3aQeyQEGjkkjnSsYp/AKDMLye5ZSGbNQjJrFpJZCxhZVjFKF2ck5SYWGJjr pVaUFCXqJWcUVRbnpBbpJefnbmIExnMjp3f6DsYrCy0PMQpwMCrx8Eqm7AoTYk0sK67MPcQo zcGiJM57PRYoJJCeWJKanZpakFoUX1Sak1p8iJGJg1OqgbHqW79ClMLO6pVRqVKXQm6eCrzT +nVm5irxF3Pma3esfMD11Xudyqo3LiL3Xj74cTxw0+ywfl/9t4dr3DNlVJYvCY5eY8b9rjtb c9GbWvsahhtfo/V+P6vdJtnJ8izcalF28sHJn/X2tEzwe79m851F3tlN1qn87BN2f2ar3Saq OmlNquZ2/yolluKMREMt5qLiRACVzVbeyAIAAA==
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrAKsWRmVeSWpSXmKPExsUyfbWIoO6qil1hBkdPCVvcfXOZxYHRY8mS n0wBjFFcNimpOZllqUX6dglcGfcftjAXrPWp2H3kMFMD4wqbLkZODgkBE4kvjdOZIWwxiQv3 1rN1MXJxCAmcZJRYuHUDI0hCSGAto8SaUwkQCSB74qNzjBDODkaJ1xsvgVWxAY1aeOUu2CgR ASmJZ7MesYDYwgIGEutvXmaDiBtKvFr7GspOknix/zlYL4uAisSP14vBbF4BJ4l38+YxQyx4 wCyxf+d69i5GDg5OASuJxt4UkBpGoFO/n1rDBGIzC4hL3HoynwniBQGJJXvOQ70jKvHy8T9W CNtAYuvSfSwQtpLE+dU3GSF6dSQW7P7EBmFrSyxb+JoZ4gZBiZMzn7BAfK8q0b/2JfsERslZ SNbNQtI+C0n7LCTtCxhZVjFK5ack5SYWGFjq5aekJOslZxRVFuekFukl5+duYgRHYKfiDsbG RZaHGAU4GJV4ePOzdoUJsSaWFVfmHmKU5GBSEuXl0QIK8SXlp1RmJBZnxBeV5qQWH2KU4GBW EuGVe7MzTIg3JbGyKrUoHyYlzcGiJM6rUuAQKCSQnliSmp2aWpBaBJOV4eBQkuCVLQcaKliU mp5akZaZU4KQZuLgBBnOAzR8QhlQDW9xQWJucWY6RP4Uo6SUOO8PkIQASCKjNA+u9xWjONAL wryuIKN5gMkUrusV0EAmoIEr/m0DGViSiJCSamBMl5G3PuPMsMulZfedyJft4lPfcbv2tG3+ sOn6yZTfU2p81ZrS0kPzG3rjjJ08d318kVEcOGOy2vPLs7VfVmtNjXaOdAph+yXUYcSvd36K c0Ducb01QZ3RDDvqZ39Le2Bwp0ZaTL+ITfx816GrbF43Df6xsNY1LphiuMV3Tmu+XYr4qlcv pZVYijMSDbWYi4oTAbKb0F9jAwAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/YTN7vR4IeYi8bXobZgiNAmHApHQ>
Subject: Re: [DNSOP] DNS Delegation Requirements
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Feb 2016 23:39:31 -0000
True, the MX case falls within the intersection of DNS and SMTP standards, and thus must conform to the naming restrictions of both. That was a bad example and I shouldn't have cited it. - Kevin -----Original Message----- From: Mark Andrews [mailto:marka@isc.org] Sent: Tuesday, February 09, 2016 6:35 PM To: Darcy Kevin (FCA) Cc: dnsop Subject: Re: [DNSOP] DNS Delegation Requirements In message <cd765f8368da465ea1078e20e77ea06c@mxph4chrw.fgremc.it>, "Darcy Kevin (FCA)" writes: > Thats a very good catch. Restrictions on *hostnames* are different > than restrictions on *domain*names*. The language below, from RFC > 2181, Section 11 (incorrectly cited as RFC 2182, Section 11, in the > draft; but RFC 2182 has no Section 11), should be controlling, and the > other references (to RFCs 1035, 1123) should be discarded, since they > refer specifically to *hostname* (not *domain*name*) restrictions, > and/or are ambiguous as to whether they apply to hostnames or domain > names. The reference to RFC 3696 should be discarded also, since it is > only an Informational RFC, and defers to the others (1035, 1123 and > 2181) as authoritative (and in any case, makes an explicit exception > for names that are normally not seen by users). > > --- RFC 2181, SECTION 11 --- > Occasionally it is assumed that the Domain Name System serves only > the purpose of mapping Internet host names to data, and mapping > Internet addresses to host names. This is not correct, the DNS is a > general (if somewhat limited) hierarchical database, and can store > almost any kind of data, for almost any purpose. > > The DNS itself places only one restriction on the particular labels > that can be used to identify resource records. That one restriction > relates to the length of the label and the full name. The length of > any one label is limited to between 1 and 63 octets. A full domain > name is limited to 255 octets (including the separators). The zero > length full name is defined as representing the root of the DNS tree, > and is typically written and displayed as ".". Those restrictions > aside, any binary string whatever can be used as the label of any > resource record. Similarly, any binary string can serve as the value > of any record that includes a domain name as some or all of its > value > > (SOA, NS, MX, PTR, CNAME, and any others that may be added). > --- END QUOTE --- > > (Nota bene the reference to any binary string being legal as the value > of an NS record how can that be compatible with subjecting > delegations to hostname rules?). > > Now, if a particular *registry* wants to put additional restrictions > on the names it will delegate, then thats another matter, but IMO > outside the scope of this draft. > > In practice, it is quite common to delegate subzones whose only > contained leaf RRs are of type SRV and thus *must*, according to the > naming conventions of SRV, contain underscores in their FQDNs. As long > as those zones contain no hostname records, this is perfectly legal > and acceptable, according to current standards, and I see no > compelling reason to disparage or mark as defective, the delegation of such domains. > Although much rarer, some zones might only contain MX records, and/or > some other record type(s) which is/are not considered to represent a > hostname, _per_se_. Mail domains have exactly the same syntax requirements as hostnames. If you see a MX record w/o a LDH owner then it is not being used for a mail domain or it is there in error the same way as A / AAAA without a LDH owner is not being used as a hostname or it is there in error. Mark > - Kevin > > From: DNSOP mailto:dnsop-bounces@ietf.org On Behalf Of Jacques Latour > Sent: Tuesday, February 09, 2016 12:00 PM > To: Warren Kumari; Darcy Kevin (FCA); dnsop > Subject: Re: DNSOP DNS Delegation Requirements > > > Hi, > > > > Sent something relating to this on DNS-OARC this morning, but it seems > to be legit to have delegation for a _tcp.example.ca, which fails the > syntax requirements defined in section 8.1. Illegal characters MUST > NOT be in the domain name". > > > > A delegation can happen to a valid domain name, not necessarily a > valid hostname. > > > > Zonemaster fails on delegations like _sips._tcp.cam.ac.uk > > > > # dig _sips._tcp.cam.ac.uk ns +short > > rnb-uls2-jabber.phone.cam.ac.uk. > > cnh-uls2-jabber.phone.cam.ac.uk. > > wolf-uls2-jabber.phone.cam.ac.uk. > > > > > > Jack > > > > > From: DNSOP mailto:dnsop-bounces@ietf.org On Behalf Of Warren Kumari > Sent: February-08-16 6:51 PM > To: Darcy Kevin (FCA); dnsop > Subject: Re: DNSOP DNS Delegation Requirements > > > On Mon, Feb 8, 2016 at 3:38 PM Darcy Kevin (FCA) > <kevin.darcy@fcagroup.com<mailto:kevin.darcy@fcagroup.com>> wrote: > My 2 cents > > I dont think any DNS RFC should be tied to any specific element of > Internet routing technology. Keep it relatively generic and avoid > mention of ASes and the like, since this RFC may outlive the use of > ASes for Internet routing. Path diversity, link diversity, > network-level redundancy, those are all fine. > > That works too -- RFC 2182, 3.1. ? :-) > > W > > > > > - Kevin > > From: DNSOP > mailto:dnsop-bounces@ietf.org<mailto:dnsop-bounces@ietf.org> > On Behalf Of Warren Kumari > Sent: Monday, February 08, 2016 9:21 AM > To: Ralf Weber; Jakob Schlyter > Cc: dnsop; Patrik Wallstrm > Subject: Re: DNSOP DNS Delegation Requirements > > > On Mon, Feb 8, 2016 at 2:00 AM Ralf Weber > <dns@fl1ger.de<mailto:dns@fl1ger.de>> wrote: > Moin! > > On 8 Feb 2016, at 9:57, Jakob Schlyter wrote: > > At this point, we're seeking more public comments - on this mailing > > list (unless the chairs disapproves), on the our issue tracker 4 or > > via email to the authors. > Thanks a lot for this work. I certainly would like dnsop to work on > this. > > I would soften some of language and have a question. > > 5.1. There are use cases where the serial number rarely if ever is the > same on all servers and it's only really used inside communication for > a given domain and not during resolution. So the only people who know > if a divergent serial number is a problem are the domain owners. So we > shouldn't tell the public that this is a problem. I would say that a > different SOA serial number could be seen as an indicator of an > inconsistent setup, but that further analysis is required to really > conclude that. > > 6.2 The name servers SHOULD NOT belong to the same AS I would drop > that requirement altogether or make it a MAY. We really should not > tell people how to build networks from the DNS world. > > > I think that the SHOULD NOT is actually correct here -- from RFC1771: > The use of the term Autonomous System here stresses the fact that, > even when multiple IGPs and metrics are used, the administration of an > AS appears to other ASs to have a single coherent interior routing > plan and presents a consistent picture of what destinations are > reachable through it. > > An AS is a "network", run by one organization. This means that there > is a monkey sitting somewhere making all of the routing decisions, and > sometimes monkeys screw up. Having a nameserver in an AS that is run > by a different monkey means that you need multiple monkeys messing up > at the same time0. Also, a significant amount of routing and traffic > engineering decisions are made at the AS level ("Meh, I'll local-pref > AS 42 down to move this traffic $there") - this means that sometimes > folk screw up and accidentally block access to some set of ASes - SIDR > may or may not make this more likely :-) > > This is *not* telling people how to build their network - it is simply > *suggesting* that they consider putting some net of nameservers in a > network run by someone else. If you understand the implications of > putting all of your nameservers in one AS, good for you. If not, > chances are it's safer to put at least some elsewhere... > > W > 0: This (obviously) isn't really true, both ASs could share the same > upstream, router, etc. RFC 2182, 3.1. says it best: > "They should also be connected to > the net via quite diverse paths. This means that the failure of any > one link, or of routing within some segment of the network (such as a > service provider) will not make all of the servers unreachable." > > > > > > > 8.7 We should point out here that neither an MX nor an A record are > required at the zone apex or do you want either of them mandatory? > > On the SOA settings I do have a question. Would the following SOA be > legitimate according to this draft? > localhost. root.localhost. 1115106304 16384 2048 1048576 2560 > If not why not, as my spot checking didn't find anything that made it > invalid. > > So long > -Ralf > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org<mailto:DNSOP@ietf.org> > https://www.ietf.org/mailman/listinfo/dnsop > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org<mailto:DNSOP@ietf.org> > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- Re: [DNSOP] DNS Delegation Requirements Warren Kumari
- Re: [DNSOP] DNS Delegation Requirements Ray Bellis
- Re: [DNSOP] DNS Delegation Requirements Patrik Wallström
- Re: [DNSOP] DNS Delegation Requirements Ólafur Guðmundsson
- Re: [DNSOP] DNS Delegation Requirements Jakob Schlyter
- Re: [DNSOP] DNS Delegation Requirements Mark Andrews
- Re: [DNSOP] DNS Delegation Requirements Shane Kerr
- Re: [DNSOP] DNS Delegation Requirements Ralf Weber
- [DNSOP] DNS Delegation Requirements Jakob Schlyter
- Re: [DNSOP] DNS Delegation Requirements Mark Andrews
- Re: [DNSOP] DNS Delegation Requirements Darcy Kevin (FCA)
- Re: [DNSOP] DNS Delegation Requirements Mark Andrews
- Re: [DNSOP] DNS Delegation Requirements Darcy Kevin (FCA)
- Re: [DNSOP] DNS Delegation Requirements Warren Kumari
- Re: [DNSOP] DNS Delegation Requirements Jacques Latour
- Re: [DNSOP] DNS Delegation Requirements Darcy Kevin (FCA)
- Re: [DNSOP] DNS Delegation Requirements George Michaelson
- Re: [DNSOP] DNS Delegation Requirements Tony Finch
- [DNSOP] normative language in BCPs Re: DNS Delega… Suzanne Woolf
- Re: [DNSOP] normative language in BCPs Re: DNS De… George Michaelson
- Re: [DNSOP] normative language in BCPs Re: DNS De… Mark Andrews
- Re: [DNSOP] DNS Delegation Requirements John Kristoff
- Re: [DNSOP] DNS Delegation Requirements Darcy Kevin (FCA)
- Re: [DNSOP] DNS Delegation Requirements Jakob Schlyter