IETF Logo Mail Archive

Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional-07 vs. sibling glue

Mark Andrews <marka@isc.org> Sat, 15 April 2023 01:20 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBD26C1516E9 for <dnsop@ietfa.amsl.com>; Fri, 14 Apr 2023 18:20:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="bn8k5uss"; dkim=pass (1024-bit key) header.d=isc.org header.b="mm2mssE+"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ipy9fX-BZFmE for <dnsop@ietfa.amsl.com>; Fri, 14 Apr 2023 18:20:28 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E1AAC14CF13 for <dnsop@ietf.org>; Fri, 14 Apr 2023 18:20:28 -0700 (PDT)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.1.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 860763AB033; Sat, 15 Apr 2023 01:20:27 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org 860763AB033
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.1.12
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1681521627; cv=none; b=AuIWYcBEj++85WgTBd11OVd23oYlgOq+Rd+xmhZmpSsP6ieuYH5Kt4ceMW25lMU3/aB3Pbga6DBM9HLWKDUFrW4YVcymesGqahr4mglReMTb2daWv1/ExX3+d3ndC1RE4Whjc3ClJZXhSSxIiVjJ4NZE5xKQaHmAaG7j1DvWGEE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1681521627; c=relaxed/relaxed; bh=SOsL48TqqtRxdQpFRMsBFEgi1aUZLp+3idfCFq9VEwY=; h=DKIM-Signature:DKIM-Signature:Mime-Version:Subject:From:Date: Message-Id:To; b=f/Ih0VDgGQwHkiLdT2hp73KxRhpI4U3GnJiwymZGE331ApoGDK60wfGLPUEH152RR7FyXWPcjeh8VY8RKKGkj5MpSC+U6JCiRAGMd5A3eH2Bll3E+v8NmID+9nxVTbjW6xFymIaQpeKNm4LwwVgZ7F94P9oiPmLQTkdPHDPt9x8=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org 860763AB033
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1681521627; bh=tUNt/fVHeLTpERppFDJKWRF+RYEyQsBBRnTY86XcTJk=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=bn8k5uss+RS+jtiF8IIC3NvtvkBa/zd62Ywbkg1mEuSfMAAMNTJanBjWT5h6E5peu 8pgd2UbDbIz+LXCcxcBijcnWOkIqJ1hJgEsaKLr9uzZC/1gR/ClKACGzsIg7OedHDz AZeIubcpc4UfHD+lI3QFCuKci03NPIUwhBod8Mn8=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id 78137FE5873; Sat, 15 Apr 2023 01:20:27 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 4CA2EFE5879; Sat, 15 Apr 2023 01:20:27 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 4CA2EFE5879
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1681521627; bh=SOsL48TqqtRxdQpFRMsBFEgi1aUZLp+3idfCFq9VEwY=; h=Mime-Version:From:Date:Message-Id:To; b=mm2mssE+l+51ji0SKQxCeo9114Mtu9x7AYekxAeX8CCOgtyA6vSxWe+ICrSVC9peR ND3uUv+wud4tPWDJY9zp/qyRfOulZ2FdXZTRcKv5cLLjMZBd+JHf0q288Ns/UvBQbW MtcAxAgsTSZy3m1vNLOfJUmbyBKvqxCQ+UWq5F8A=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 0eTTxhFGph49; Sat, 15 Apr 2023 01:20:27 +0000 (UTC)
Received: from smtpclient.apple (n49-187-27-239.bla1.nsw.optusnet.com.au [49.187.27.239]) by zimbrang.isc.org (Postfix) with ESMTPSA id 6515BFE5873; Sat, 15 Apr 2023 01:20:26 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.500.231\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <FCEFE347-F90A-474D-AFF3-AE58C5266B3C@isc.org>
Date: Sat, 15 Apr 2023 11:20:13 +1000
Cc: Puneet Sood <puneets=40google.com@dmarc.ietf.org>, dnsop@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <859C9418-CFEF-4FE1-9DF3-A2DC61EFA215@isc.org>
References: <166433321065.7033.7906557321120388211@ietfa.amsl.com> <a124badc-7723-904f-3716-6be2a121360@nohats.ca> <Y+7jR1ouKD6w8V49@straasha.imrryr.org> <Y/RXcLmPouKn5DJW@straasha.imrryr.org> <920A70B5-EF6F-463D-B62B-BC29C4C0210D@fl1ger.de> <CAHPuVdW-mA=M+zh1nvRKr12w5wnxG2+bL0Vbc52DwRykare+Ng@mail.gmail.com> <ZCHkFGDj0CrEx3o1@straasha.imrryr.org> <CAHPuVdUY+eUmeWw8x+yfbTSxr4aavzxtuEqKGEoB=gpVhLR1gg@mail.gmail.com> <9743fe5f-dc3b-1241-cd2d-96649939adf6@desec.io> <CAAiTEH-7erdiQrxW1FXcy_zhWxsf60XhPp66yyfWnzhOKPDJmA@mail.gmail.com> <CAHPuVdUCssTsMc=FrKMrDB8N-P98crYe03NKU5-BtV47LgR9UA@mail.gmail.com> <CA+9_gVu4iHdxUTzDRYQ5FceHiauyZGiZLvrTmSQZvZz6ZHi90A@mail.gmail.com> <FA71180D-6042-4EFF-ABB6-EC95FF0969C7@isc.org> <CA+9_gVun=ceg3F0UfSLmWD+qLQdKwn48DhOcP_DMWeFXoK48sw@mail.gmail.com> <CA+9_gVsS3Jwv4kQcLRYBJtPf-R6DjZ0jNGCKojV9nQbbL3B-NA@mail.gmail.com> <FCEFE347-F90A-474D-AFF3-AE58C5266B3C@isc.org>
To: Puneet Sood <puneets@google.com>
X-Mailer: Apple Mail (2.3731.500.231)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Yrzbwo7eV6b8TR2OfRbbxytuUfw>
Subject: Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional-07 vs. sibling glue
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Apr 2023 01:20:33 -0000

At this stage I think the only way to force this is to drop negative
responses without SOA records present.  To have the lookups fail and
that requires buy in by the large recursive server operators.

Similarly add an unknown EDNS option (pick a value between 1000 and 1999)
to every QUERY until 1 Jan 2025 and if it comes back FORMERR with an OPT
record present, drop the response.  10 years after cleaning up the EDNS
specification we still have .5% of servers not updated.  BIND is effectively
doing this with DNS COOKIE but it is painful when people say “but the lookup
works with large recursive server”. 

> On 15 Apr 2023, at 11:01, Mark Andrews <marka@isc.org> wrote:
> 
> Somehow saying MUST include a SOA record in the negative response
> isn’t enough.
> 
> 3 - Negative Answers from Authoritative Servers
> 
> Name servers authoritative for a zone MUST include the SOA record of
> the zone in the authority section of the response when reporting an
> NXDOMAIN or indicating that no data of the requested type exists.
> This is required so that the response may be cached. The TTL of this
> record is set from the minimum of the MINIMUM field of the SOA record
> and the TTL of the SOA itself, and indicates how long a resolver may
> cache the negative answer. The TTL SIG record associated with the
> SOA record should also be trimmed in line with the SOA's TTL.
> 
> If the containing zone is signed [RFC2065] the SOA and appropriate
> NXT and SIG records MUST be added.
> 
> 6 - Negative answers from the cache
> 
> When a server, in answering a query, encounters a cached negative
> response it MUST add the cached SOA record to the authority section
> of the response with the TTL decremented by the amount of time it was
> stored in the cache. This allows the NXDOMAIN / NODATA response to
> time out correctly.
> 
>> On 15 Apr 2023, at 10:48, Puneet Sood <puneets@google.com> wrote:
>> 
>> Also the following section (2.2.1 - Special Handling of No Data)
>> suggests sending type 2 instead of type 1 responses but is silent
>> about type 3 responses.
>> 
>> On Fri, Apr 14, 2023 at 8:46 PM Puneet Sood <puneets@google.com> wrote:
>>> 
>>> On Fri, Apr 14, 2023 at 8:26 PM Mark Andrews <marka@isc.org> wrote:
>>>> 
>>>> RFC 2038 already says add the SOA so negative answers can be cached. The other responses
>>>> where to show what was out there so that they where not misinterpreted.
>>> I believe you are referring to this sentence? Quote: "The authority
>>> section will contain an SOA record, or there will be no NS records
>>> there."
>>> 
>>> That is not how I interpreted those lines. My understanding of the
>>> part after the "or" is that a response with an empty ANSWER and AUTH
>>> section also indicates NODATA (as confirmed by response type 3).
>>> 
>>>> I doubt saying
>>>> don’t do those old forms will make any difference.  Everything out there has had 25 years
>>>> to comply.
>>> I understand updating the specs by itself does not fix compliance.
>>> However clarifying that "or" would be useful.
>>> 
>>>> 
>>>>> On 15 Apr 2023, at 09:06, Puneet Sood <puneets=40google.com@dmarc.ietf.org> wrote:
>>>>> 
>>>>> On the topic of authoritative server behavior as seen in the DNS
>>>>> responses, a few areas for improvement below (not touching DNSSEC).
>>>>> This is written from the perspective of a resolver using the auth
>>>>> responses to answer user queries.
>>>>> 
>>>>> * responding correctly to requests with certain flags, EDNS options.
>>>>> This is covered well by RFC 8906. Now we wait for compliance.
>>>>> 
>>>>> * proper glue
>>>>> This I-D clarifies the need to supply *all the glue* and to set TC=1
>>>>> correctly. Improve the specification for what to do with sibling or
>>>>> cyclic glue. Ideally recommend against publishing and/or depending on
>>>>> cyclic, sibling glue.
>>>>> 
>>>>> * NODATA responses
>>>>> RFC 2308 section 2.2 - No Data
>>>>> [https://www.rfc-editor.org/rfc/rfc2308#section-2.2] describes three
>>>>> different ways an NS response could indicate NODATA. Types 1 and 2
>>>>> include a SOA record which is helpful in determining TTLs and start of
>>>>> the zone cut (this matters when the same auth server is authoritative
>>>>> for consecutive labels in a qname). Type 3 with no SOA while usable by
>>>>> resolvers is not very helpful.
>>>>> 
>>>>> Tightening of the specification to require type 1 or 2 responses for
>>>>> NODATA will be beneficial (drop type 3).
>>>>> 
>>>>> In addition two additional types of responses appear to show up in the
>>>>> wild. Tightening the spec likely won't help here.
>>>>> Type 4. SOA in Answer section
>>>>> Non-compliant but a resolver can kind of figure this out and use it to
>>>>> generate a NODATA answer.
>>>>> 
>>>>> Implementation note: Viktor has done work on this topic so we should
>>>>> have some data to share in a few weeks.
>>>>> 
>>>>> Type 5. NS RRs for the zone in question (no SOA) (type 1 w/o the SOA :()
>>>>> Generally treated as LAME.
>>>>> 
>>>>> Questions for the working group:
>>>>> Is there interest in updating existing specifications around glue and
>>>>> NODATA responses?
>>>>> 
>>>>> Are there other related auth response specifications which would
>>>>> benefit from updates?
>>>>> 
>>>>> Thanks for reading.
>>>>> 
>>>>> -Puneet
>>>>> 
>>>>> On Tue, Mar 28, 2023 at 9:54 PM Shumon Huque <shuque@gmail.com> wrote:
>>>>>> 
>>>>>> On Tue, Mar 28, 2023 at 9:51 PM Matthew Pounsett <matt@conundrum.com> wrote:
>>>>>>> 
>>>>>>> 
>>>>>>> On Tue, Mar 28, 2023 at 8:24 AM Peter Thomassen <peter@desec.io> wrote:
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> On 3/28/23 03:14, Shumon Huque wrote:
>>>>>>>>> On Tue, Mar 28, 2023 at 3:45 AM Viktor Dukhovni <ietf-dane@dukhovni.org <mailto:ietf-dane@dukhovni.org>> wrote:
>>>>>>>>> 
>>>>>>>>>  On Wed, Mar 01, 2023 at 04:27:31PM -0500, Shumon Huque wrote:
>>>>>>>>>  Can we at least state that domains with cyclic dependencies are a bad
>>>>>>>>>  idea, and may not be supported by all resolvers.  In other words, that
>>>>>>>>>  the domain owner can't **rely** on the sibling glue recommended to be
>>>>>>>>>  sent in this draft to save the day.
>>>>>>>>> 
>>>>>>>>>  My strong preference is still to delete all reference in the draft to
>>>>>>>>>  cyclic dependencies (i.e. not enshrine bad practice).  Which leaves
>>>>>>>>>  sibling glue primarily as a performance optimisation, and secondarily
>>>>>>>>>  as a last resort when the nameserver IP addresses are wrong or gone
>>>>>>>>>  from the authoritative zone (another bad practice).
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> Viktor - I've so far not seen many other people speak up in support of your
>>>>>>>>> position. I suspect this is because this draft was discussed to death many
>>>>>>>>> months ago during long discussion threads on the list, and there is likely
>>>>>>>>> already rough consensus for the current content. Personally, I would be ok
>>>>>>>>> with adding a statement that configurations involving cyclic dependencies
>>>>>>>>> are not recommended, but others will likely have to also speak up in support
>>>>>>>>> of this too.
>>>>>>>> 
>>>>>>>> I support adding such a statement about cyclic dependencies.
>>>>>>> 
>>>>>>> 
>>>>>>> As do I.
>>>>>>> 
>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> In addition, I would support saying that data suggests that, while (non-cyclic) glue records may have a benefit in certain cases, they frequently are a source of harm (time-outs), and the trade-off remains unclear.
>>>>>>> 
>>>>>>> 
>>>>>>> I would support this as well.
>>>>>>> 
>>>>>>> In my anecdotal experience as an operator, I routinely encounter mismatches in sibling glue and child zone NS sets that appear to be due to the glue being forgotten.  My assumption is that, because it's not necessary to operate, when operators fail to update it they don't receive any kind of signal that something is wrong.
>>>>>>> 
>>>>>>> Viktor's numbers are pretty clear data, though, so nobody should need my anecdotes to be convinced.  While sibling glue may be a useful optimisation in some cases, given how poorly maintained it is it seems to cause more problems than it solves.
>>>>>>> 
>>>>>> 
>>>>>> I'd like to remind folks that the scope of this draft when it was adopted by the working group was very narrow. Mainly to say that 'required' glue must set TC=1 if it doesn't fit into the DNS response payload. That required talking about other types of non-mandatory glue like sibling, but has not proposed to change authoritative server behavior in those areas.
>>>>>> 
>>>>>> If folks want to deprecate sibling glue entirely, it would be best to write another draft saying that and see if we can get consensus on that.
>>>>>> 
>>>>>> Shumon.
>>>>>> 
>>>>>> _______________________________________________
>>>>>> DNSOP mailing list
>>>>>> DNSOP@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/dnsop
>>>>> 
>>>>> _______________________________________________
>>>>> DNSOP mailing list
>>>>> DNSOP@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/dnsop
>>>> 
>>>> --
>>>> Mark Andrews, ISC
>>>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>>>> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
>>>> 
>>>> _______________________________________________
>>>> DNSOP mailing list
>>>> DNSOP@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/dnsop
> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email