IETF Logo Mail Archive

Re: [dnsop] WGLC on draft-ietf-dnsop-bad-dns-res-03.txt

Mark Andrews <Mark_Andrews@isc.org> Mon, 22 November 2004 20:03 UTC

Received: from darkwing.uoregon.edu (root@darkwing.uoregon.edu [128.223.142.13]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA09279 for <dnsop-archive@lists.ietf.org>; Mon, 22 Nov 2004 15:03:05 -0500 (EST)
Received: from darkwing.uoregon.edu (majordom@localhost [127.0.0.1]) by darkwing.uoregon.edu (8.12.11/8.12.11) with ESMTP id iAMII449020092; Mon, 22 Nov 2004 10:18:04 -0800 (PST)
Received: (from majordom@localhost) by darkwing.uoregon.edu (8.12.11/8.12.11/Submit) id iAMII3rA020042; Mon, 22 Nov 2004 10:18:03 -0800 (PST)
To: dnsop@lists.uoregon.edu
From: Mark Andrews <Mark_Andrews@isc.org>
Subject: Re: [dnsop] WGLC on draft-ietf-dnsop-bad-dns-res-03.txt
Date: Mon, 22 Nov 2004 09:45:12 +1100
Message-Id: <200411212245.iALMjCiR090307@drugs.dv.isc.org>
Sender: owner-dnsop@lists.uoregon.edu
Precedence: bulk
Reply-To: Mark Andrews <Mark_Andrews@isc.org>

> I think I'll have to re-iterate my earlier point, from June 2004, now,
> because it was probably forgotten:
>
> http://darkwing.uoregon.edu/~llynch/dnsop/msg02940.html

	As for the IPv6 addresses question.
	IPv6 addresses are generally a single label (ignoring mapped
	addresses, e.g. ::ffff:123.123.123.123).

> Have these changes been reviewed and/or adopted by DNSEXT WG?
>
> We've produced a similar document like this one at v6ops, and the IESG
> stomped on it, because they wanted that the concerned WGs fix the
> problem, e.g., by new specifications, not that possible fixes are just
> described in an informational RFC -- check out
> draft-ietf-v6ops-v6onbydefault in the I-D tracker if interested.
>
> That is, if a dnsop document is proposing protocol fixes, those fixes
> must actually get in the dnsext pipeline, and we must actually wait
> for those fixes to be finalized before going forward. (Or, then we
> just remove the recommended protocol fixes.)
>
> --
> Pekka Savola                 "You each name yourselves king, yet the
> Netcore Oy                    kingdom bleeds."
> Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
> .
> dnsop resources:_____________________________________________________
> web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
> mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html


	2.6.1  Recommendation

	The following sentence is not true.

					       But in any case, the
   address record must still be present in this zone, either as
   authoritative data or glue.

	The classic example is the root zone where the address
	records for the root servers are not part of the root zone.
	The root zone contains glue for the NET servers and the NET
	zone contain glue for ROOT-SERVERS.NET servers.

	I would make 'missing "in zone" address records' a fatal load
	error.  Error messages don't get read unless the server stops
	serving the zone.  A address record is not "in zone" if there
	is a delegation between the top of zone and the owner name of
	the address record.

	Note:  this also catches the cases were people only put in
	glue records.  In a IPv4 only world one could often get
	away with this.  In a IPv4/IPv6 world this fails miserably.

	2.3  Inability to follow multiple levels of out-of-zone glue

	Should also say how to avoid this pactice.  The simple rule
	is that "a server SHOULD be an official server for the zone
	it lives in".  Historically this was the case.  Something like:

   You can avoid triggering this problem by always having a server
   offically serve (be listed in the NS RRset) the zone it lives in.

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews@isc.org
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html

v2.23.0 | Report a Bug | By Email