IETF Logo Mail Archive

Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional-07 vs. sibling glue

Puneet Sood <puneets@google.com> Sat, 15 April 2023 00:46 UTC

Return-Path: <puneets@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7795C14CE5F for <dnsop@ietfa.amsl.com>; Fri, 14 Apr 2023 17:46:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.596
X-Spam-Level:
X-Spam-Status: No, score=-17.596 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Noov4uo76AOI for <dnsop@ietfa.amsl.com>; Fri, 14 Apr 2023 17:46:55 -0700 (PDT)
Received: from mail-qt1-x831.google.com (mail-qt1-x831.google.com [IPv6:2607:f8b0:4864:20::831]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E707C14CEFF for <dnsop@ietf.org>; Fri, 14 Apr 2023 17:46:55 -0700 (PDT)
Received: by mail-qt1-x831.google.com with SMTP id d75a77b69052e-3e920e1cd4cso518661cf.1 for <dnsop@ietf.org>; Fri, 14 Apr 2023 17:46:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1681519614; x=1684111614; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=9s5IGqmpF0AoQ0f/DdtD5/ZPIejj7l1O/CYCnCYa5LM=; b=XGRW9qgx8Fp3+iBDmg6jTzyxAREYjdj8iiZnPKixu5bN+CQy5HnmUgMK5y7K7CjcG7 3dKB3KGlJqDU3V6TutJkhSz98abcliH+I4pwwb5U4NmBmm5jKHXO+bvU45Gg2HXMGuFs GGBqUSoJ96+yytMvYeYcDt9cUWvE9Mu7fthGUDPqo/ULkH5C0L7LIcvwJfIrNpXp1uWL KW1aEncVvAdMx2idBsxSmM3g0fceCcFNpnR49TL5WmF8wdQt+BJSaZE/8zUt2wGC21aG VlV0v5L/DHSkFZL0lllLYOPVU/p77n5I9oy3ssH5rOQD/QjjXjVDH7QfBB+rWZZ3Yrki IHKQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681519614; x=1684111614; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=9s5IGqmpF0AoQ0f/DdtD5/ZPIejj7l1O/CYCnCYa5LM=; b=PGwNnMKz8G7cHGRvK5lpdoJGk8IB9xqTV6l7e2fht4m9UDm/iYE5g/acI2KDK2YtE1 I5lyfl3ktiPuIeQ6ozGvsoNQYtOAxPn8nfQBwixgpSaYxiln8C3RF+2Ki0TM1Wf61/BG PWbeULwq9dHl3boCl//FFQ3Zr6UsDCbUuQZ3pTy0X02w2UlNqjCuzC/dyhO3yBVpVmHc /pJNaCxcbrPH9wDAwgQ9+0/FH8eLgVANs5MRpxn8GbhEyTN3PeuswP4bnirYl4prEzv7 Tjuk/GdzhW9nkz4DUv8fkETMGuvx4iYx0DUIBpipHPNtrT5xck8ijWdYR2cMSToHY4X1 DCsg==
X-Gm-Message-State: AAQBX9f8UhTl0mzud+oUTepxeqhgBDuTGiIRAtZtrD7biFs9ofamxVy3 sfpNM/fy14XB7ryt+ALH808gXGUY0Zhx1K3LRyyHQg==
X-Google-Smtp-Source: AKy350btwF4QJh/vw5GwoaR9tol5gi8oT7BKrr9DTrrnCgprtQgwuum2vyCjwvgyjvTlCIqnqTDiZBCuiToT6BvJKkg=
X-Received: by 2002:ac8:570d:0:b0:3de:1aaa:42f5 with SMTP id 13-20020ac8570d000000b003de1aaa42f5mr341267qtw.15.1681519614247; Fri, 14 Apr 2023 17:46:54 -0700 (PDT)
MIME-Version: 1.0
References: <166433321065.7033.7906557321120388211@ietfa.amsl.com> <a124badc-7723-904f-3716-6be2a121360@nohats.ca> <Y+7jR1ouKD6w8V49@straasha.imrryr.org> <Y/RXcLmPouKn5DJW@straasha.imrryr.org> <920A70B5-EF6F-463D-B62B-BC29C4C0210D@fl1ger.de> <CAHPuVdW-mA=M+zh1nvRKr12w5wnxG2+bL0Vbc52DwRykare+Ng@mail.gmail.com> <ZCHkFGDj0CrEx3o1@straasha.imrryr.org> <CAHPuVdUY+eUmeWw8x+yfbTSxr4aavzxtuEqKGEoB=gpVhLR1gg@mail.gmail.com> <9743fe5f-dc3b-1241-cd2d-96649939adf6@desec.io> <CAAiTEH-7erdiQrxW1FXcy_zhWxsf60XhPp66yyfWnzhOKPDJmA@mail.gmail.com> <CAHPuVdUCssTsMc=FrKMrDB8N-P98crYe03NKU5-BtV47LgR9UA@mail.gmail.com> <CA+9_gVu4iHdxUTzDRYQ5FceHiauyZGiZLvrTmSQZvZz6ZHi90A@mail.gmail.com> <FA71180D-6042-4EFF-ABB6-EC95FF0969C7@isc.org>
In-Reply-To: <FA71180D-6042-4EFF-ABB6-EC95FF0969C7@isc.org>
From: Puneet Sood <puneets@google.com>
Date: Fri, 14 Apr 2023 20:46:35 -0400
Message-ID: <CA+9_gVun=ceg3F0UfSLmWD+qLQdKwn48DhOcP_DMWeFXoK48sw@mail.gmail.com>
To: Mark Andrews <marka@isc.org>
Cc: Puneet Sood <puneets=40google.com@dmarc.ietf.org>, dnsop@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/YeqoJl3fdoHudUObQlyfmpxKgPY>
Subject: Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional-07 vs. sibling glue
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Apr 2023 00:46:59 -0000

On Fri, Apr 14, 2023 at 8:26 PM Mark Andrews <marka@isc.org> wrote:
>
> RFC 2038 already says add the SOA so negative answers can be cached. The other responses
> where to show what was out there so that they where not misinterpreted.
I believe you are referring to this sentence? Quote: "The authority
section will contain an SOA record, or there will be no NS records
there."

That is not how I interpreted those lines. My understanding of the
part after the "or" is that a response with an empty ANSWER and AUTH
section also indicates NODATA (as confirmed by response type 3).

> I doubt saying
> don’t do those old forms will make any difference.  Everything out there has had 25 years
> to comply.
I understand updating the specs by itself does not fix compliance.
However clarifying that "or" would be useful.

>
> > On 15 Apr 2023, at 09:06, Puneet Sood <puneets=40google.com@dmarc.ietf.org> wrote:
> >
> > On the topic of authoritative server behavior as seen in the DNS
> > responses, a few areas for improvement below (not touching DNSSEC).
> > This is written from the perspective of a resolver using the auth
> > responses to answer user queries.
> >
> > * responding correctly to requests with certain flags, EDNS options.
> > This is covered well by RFC 8906. Now we wait for compliance.
> >
> > * proper glue
> > This I-D clarifies the need to supply *all the glue* and to set TC=1
> > correctly. Improve the specification for what to do with sibling or
> > cyclic glue. Ideally recommend against publishing and/or depending on
> > cyclic, sibling glue.
> >
> > * NODATA responses
> > RFC 2308 section 2.2 - No Data
> > [https://www.rfc-editor.org/rfc/rfc2308#section-2.2] describes three
> > different ways an NS response could indicate NODATA. Types 1 and 2
> > include a SOA record which is helpful in determining TTLs and start of
> > the zone cut (this matters when the same auth server is authoritative
> > for consecutive labels in a qname). Type 3 with no SOA while usable by
> > resolvers is not very helpful.
> >
> > Tightening of the specification to require type 1 or 2 responses for
> > NODATA will be beneficial (drop type 3).
> >
> > In addition two additional types of responses appear to show up in the
> > wild. Tightening the spec likely won't help here.
> > Type 4. SOA in Answer section
> > Non-compliant but a resolver can kind of figure this out and use it to
> > generate a NODATA answer.
> >
> > Implementation note: Viktor has done work on this topic so we should
> > have some data to share in a few weeks.
> >
> > Type 5. NS RRs for the zone in question (no SOA) (type 1 w/o the SOA :()
> > Generally treated as LAME.
> >
> > Questions for the working group:
> > Is there interest in updating existing specifications around glue and
> > NODATA responses?
> >
> > Are there other related auth response specifications which would
> > benefit from updates?
> >
> > Thanks for reading.
> >
> > -Puneet
> >
> > On Tue, Mar 28, 2023 at 9:54 PM Shumon Huque <shuque@gmail.com> wrote:
> >>
> >> On Tue, Mar 28, 2023 at 9:51 PM Matthew Pounsett <matt@conundrum.com> wrote:
> >>>
> >>>
> >>> On Tue, Mar 28, 2023 at 8:24 AM Peter Thomassen <peter@desec.io> wrote:
> >>>>
> >>>>
> >>>>
> >>>> On 3/28/23 03:14, Shumon Huque wrote:
> >>>>> On Tue, Mar 28, 2023 at 3:45 AM Viktor Dukhovni <ietf-dane@dukhovni.org <mailto:ietf-dane@dukhovni.org>> wrote:
> >>>>>
> >>>>>    On Wed, Mar 01, 2023 at 04:27:31PM -0500, Shumon Huque wrote:
> >>>>>    Can we at least state that domains with cyclic dependencies are a bad
> >>>>>    idea, and may not be supported by all resolvers.  In other words, that
> >>>>>    the domain owner can't **rely** on the sibling glue recommended to be
> >>>>>    sent in this draft to save the day.
> >>>>>
> >>>>>    My strong preference is still to delete all reference in the draft to
> >>>>>    cyclic dependencies (i.e. not enshrine bad practice).  Which leaves
> >>>>>    sibling glue primarily as a performance optimisation, and secondarily
> >>>>>    as a last resort when the nameserver IP addresses are wrong or gone
> >>>>>    from the authoritative zone (another bad practice).
> >>>>>
> >>>>>
> >>>>> Viktor - I've so far not seen many other people speak up in support of your
> >>>>> position. I suspect this is because this draft was discussed to death many
> >>>>> months ago during long discussion threads on the list, and there is likely
> >>>>> already rough consensus for the current content. Personally, I would be ok
> >>>>> with adding a statement that configurations involving cyclic dependencies
> >>>>> are not recommended, but others will likely have to also speak up in support
> >>>>> of this too.
> >>>>
> >>>> I support adding such a statement about cyclic dependencies.
> >>>
> >>>
> >>> As do I.
> >>>
> >>>
> >>>>
> >>>>
> >>>> In addition, I would support saying that data suggests that, while (non-cyclic) glue records may have a benefit in certain cases, they frequently are a source of harm (time-outs), and the trade-off remains unclear.
> >>>
> >>>
> >>> I would support this as well.
> >>>
> >>> In my anecdotal experience as an operator, I routinely encounter mismatches in sibling glue and child zone NS sets that appear to be due to the glue being forgotten.  My assumption is that, because it's not necessary to operate, when operators fail to update it they don't receive any kind of signal that something is wrong.
> >>>
> >>> Viktor's numbers are pretty clear data, though, so nobody should need my anecdotes to be convinced.  While sibling glue may be a useful optimisation in some cases, given how poorly maintained it is it seems to cause more problems than it solves.
> >>>
> >>
> >> I'd like to remind folks that the scope of this draft when it was adopted by the working group was very narrow. Mainly to say that 'required' glue must set TC=1 if it doesn't fit into the DNS response payload. That required talking about other types of non-mandatory glue like sibling, but has not proposed to change authoritative server behavior in those areas.
> >>
> >> If folks want to deprecate sibling glue entirely, it would be best to write another draft saying that and see if we can get consensus on that.
> >>
> >> Shumon.
> >>
> >> _______________________________________________
> >> DNSOP mailing list
> >> DNSOP@ietf.org
> >> https://www.ietf.org/mailman/listinfo/dnsop
> >
> > _______________________________________________
> > DNSOP mailing list
> > DNSOP@ietf.org
> > https://www.ietf.org/mailman/listinfo/dnsop
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email