IETF Logo Mail Archive

[DNSOP] normative language in BCPs Re: DNS Delegation Requirements

Suzanne Woolf <suzworldwide@gmail.com> Sun, 21 February 2016 22:37 UTC

Return-Path: <suzworldwide@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B15B71A9066 for <dnsop@ietfa.amsl.com>; Sun, 21 Feb 2016 14:37:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.1
X-Spam-Level:
X-Spam-Status: No, score=-0.1 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8yItXynioaeM for <dnsop@ietfa.amsl.com>; Sun, 21 Feb 2016 14:37:36 -0800 (PST)
Received: from mail-qk0-x234.google.com (mail-qk0-x234.google.com [IPv6:2607:f8b0:400d:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2017A1A8F4F for <dnsop@ietf.org>; Sun, 21 Feb 2016 14:37:36 -0800 (PST)
Received: by mail-qk0-x234.google.com with SMTP id o6so50131864qkc.2 for <dnsop@ietf.org>; Sun, 21 Feb 2016 14:37:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=lzPy2DVszEAzH23CBuYMJeYEm9fChmdHCskxYxXqJ/4=; b=oZGQ3/C6NdhxYSrn14FzO8xyy4137WhbS4ooXpGbwawqsu6hdl9kl9TqfR2cs3ksu+ 5VjEHMiyUL2S+VvO6JEBLnlEKDPUWOY0tcec5vc61j/2pY4UbdlHHDilJqnC4B9RUSwQ u/pB2MVNLD+3qP/pTBYhgbUPO3A9hhdWWcNSaobsPE1JJvEwRU4w696ZFSMxUPkom+3u QlaNt4O4tgO81gY5rXaUushZ4XhrcKCi4mkuoj1G41QbH+vyeE1rhKjOKG4i8ej4zE82 CzrQZzKTKm5GRj7QYrIQlYOG2C6cN5njEI0G9J3BaHll2FtkFNC0FRm3pxdab26ESexQ asMw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=lzPy2DVszEAzH23CBuYMJeYEm9fChmdHCskxYxXqJ/4=; b=f2KbJXYp05NI35mnFf71ybVGQmgG6jvm0p89mERA6XIfhbhZv9pSH9HtNgskl7CzDy snjRzpEtyBcjm4R2DHjwQbvGQmeRBSTQhyNcM9rvE/0nspL6QD/poIhFLSH+C6OVI+EA rJuuatJWa9envq089JJlFd5dlE6V2Z65n0izcLEvomr8oJI1BDQdyiToJDR9PGa5fK9N iVf+ADDUAd0tdXiDyaDN5ixOCc1mqwtYM7M8CjXtY1H3mOwp3voq31U4gyva0UhJoFh9 q3S0KOUX05SmNQxmf47IG3JQzyy2Gx4soPOU+G7QB81/wgdqai4g7LNBNgxWiPvd+yqM 8q9w==
X-Gm-Message-State: AG10YORlTLXgKJEI44KhWyPXTt+PHLJulv7tXeeKXLv9/EiadzxBBjpXkJ5Rg16CGT4QUg==
X-Received: by 10.55.19.170 with SMTP id 42mr16495753qkt.21.1456094255227; Sun, 21 Feb 2016 14:37:35 -0800 (PST)
Received: from ?IPv6:2601:181:c002:25ee:b97b:b688:1fc9:b595? ([2601:181:c002:25ee:b97b:b688:1fc9:b595]) by smtp.gmail.com with ESMTPSA id j7sm5481368qgd.2.2016.02.21.14.37.33 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 21 Feb 2016 14:37:34 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_C3A19A26-4429-4D99-9511-61796809C537"
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
From: Suzanne Woolf <suzworldwide@gmail.com>
In-Reply-To: <CAKr6gn2zA1DST-DuyV1Lhhfy41UrBE5AJdmy=nH65Bi-J9ja2Q@mail.gmail.com>
Date: Sun, 21 Feb 2016 17:37:39 -0500
Message-Id: <A1DD7FB4-3847-4E4F-A5D2-94E9144929D9@gmail.com>
References: <3A6EF5A0-928C-4F10-BD68-265DAE87F9A8@kirei.se> <4C7298C1-4331-4953-881F-89C7BB3FED39@fl1ger.de> <CAHw9_iKDcqzW6NQkwyBh933=apjAqCDLKF7O60D5fmLm+PgLkg@mail.gmail.com> <e915c2c6f1b54b0188ee90eb753fbcb7@mxph4chrw.fgremc.it> <CAHw9_iLZfgGFTvjqXWDQvLdUUwpS-Ok3LKKzEbWqtsrQi+w==Q@mail.gmail.com> <C059877D829F76429F49E0B48705D888DDD21B4C@EXCH-01.CORP.CIRA.CA> <cd765f8368da465ea1078e20e77ea06c@mxph4chrw.fgremc.it> <20160209233439.2279C41C190F@rock.dv.isc.org> <884f1c3fc1324a96a3732c942c8a25a3@mxph4chrw.fgremc.it> <CAKr6gn2zA1DST-DuyV1Lhhfy41UrBE5AJdmy=nH65Bi-J9ja2Q@mail.gmail.com>
To: George Michaelson <ggm@algebras.org>
X-Mailer: Apple Mail (2.1510)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/a8ooeTw_CEBFuXyXJSLC6Ni3DWY>
Cc: dnsop <dnsop@ietf.org>
Subject: [DNSOP] normative language in BCPs Re: DNS Delegation Requirements
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Feb 2016 22:37:41 -0000

(no hats)

George,

I've been thinking about this post, and this general topic, for quite some time, and I think I have a coherent answer, but the WG needs to weigh in. Generally speaking, I think it deserves more attention than it's gotten from us, which is why I'm writing now.

I think I'm actually OK with normative language in an operational document, *if* that document is intended to be a BCP.  A BCP RFC gets more scrutiny than an Informational one under IETF process; it's supposed to be an IETF consensus document just as a standards track document is; and at least to my mind, it's thus defensible to use more prescriptive language. 

RFC 2026 Section 5, which talks about BCPs, seems consistent with this approach.

In the case of a BCP, there's also a sensible answer to your question about consequences of violating a MUST: The violation of a MUST in a protocol document means that the implementation isn't compliant with the protocol specification, and may not interoperate with other implementations that do comply. I think a similar argument can be made for what it means to be compliant with an operational BCP.

With that said, RFC 2119 is also pretty cautionary about being careful in the use of MUSTs and SHOULDs: it suggests staying away from those terms unless there are identifiable consequences to violating them, i.e. they're not just expressing an aesthetic preference.

This draft was posted with an intended status of Informational. I'm interested in what the authors and the WG would think of it as a BCP.

The no-response draft has a similar issue IMO, in that it's quite prescriptive about what a certain set of players (TLD operators) should do about identified problems, and silent on advice to anyone else (registrars who have customer relationships with domain owners, DNS hosting operators, DNS implementers,….)

I think the other way to frame the use of strongly prescriptive language in this document would be to leave the intended status at Informational, and introduce it as an example of what some operators consider good practice in setting up their delegations, without claiming general applicability.

Comments?

thanks,
Suzanne



On Feb 9, 2016, at 7:14 PM, George Michaelson <ggm@algebras.org> wrote:

> its maybe me, I'm having a bad (no?) hair day, I need more caffiene.. but this feels like a "oh can't we just stop" moment.
> 
> MUST in protocols terms is good: its proscriptive, definitive language around on-the-wire.
> 
> MUST in operations terms is getting way off IETF charter, even with an ops focus.
> 
> waddaya gonna do if I don't do the MUST? you gonna blacklist me? you gonna forbid applications to flow?
> 
> I feel like capitalized normatives in operational recommendations is a big mistake. 
> 
> Sure, by all means lets recommend "please: don't put your authoritative NS eggs in one AS basket" but MUST?  MUST we? must WE?
> 
> -G
> 
> On Wed, Feb 10, 2016 at 9:39 AM, Darcy Kevin (FCA) <kevin.darcy@fcagroup.com> wrote:
> True, the MX case falls within the intersection of DNS and SMTP standards, and thus must conform to the naming restrictions of both. That was a bad example and I shouldn't have cited it.
> 
>                                                                                         - Kevin
> 
> -----Original Message-----
> From: Mark Andrews [mailto:marka@isc.org]
> Sent: Tuesday, February 09, 2016 6:35 PM
> To: Darcy Kevin (FCA)
> Cc: dnsop
> Subject: Re: [DNSOP] DNS Delegation Requirements
> 
> 
> In message <cd765f8368da465ea1078e20e77ea06c@mxph4chrw.fgremc.it>, "Darcy Kevin (FCA)" writes:
> > Thats a very good catch. Restrictions on *hostnames* are different
> > than restrictions on *domain*names*. The language below, from RFC
> > 2181, Section 11 (incorrectly cited as RFC 2182, Section 11, in the
> > draft; but RFC 2182 has no Section 11), should be controlling, and the
> > other references (to RFCs 1035, 1123) should be discarded, since they
> > refer specifically to *hostname* (not *domain*name*) restrictions,
> > and/or are ambiguous as to whether they apply to hostnames or domain
> > names. The reference to RFC 3696 should be discarded also, since it is
> > only an Informational RFC, and defers to the others (1035, 1123 and
> > 2181) as authoritative (and in any case, makes an explicit exception
> > for names that are normally not seen by users).
> >
> > --- RFC 2181, SECTION 11 ---
> > Occasionally it is assumed that the Domain Name System serves only
> >    the purpose of mapping Internet host names to data, and mapping
> >    Internet addresses to host names.  This is not correct, the DNS is a
> >    general (if somewhat limited) hierarchical database, and can store
> >    almost any kind of data, for almost any purpose.
> >
> >    The DNS itself places only one restriction on the particular labels
> >    that can be used to identify resource records.  That one restriction
> >    relates to the length of the label and the full name.  The length of
> >    any one label is limited to between 1 and 63 octets.  A full domain
> >    name is limited to 255 octets (including the separators).  The zero
> >    length full name is defined as representing the root of the DNS tree,
> >    and is typically written and displayed as ".".  Those restrictions
> >    aside, any binary string whatever can be used as the label of any
> >    resource record.  Similarly, any binary string can serve as the value
> >    of any record that includes a domain name as some or all of its
> > value
> >
> >    (SOA, NS, MX, PTR, CNAME, and any others that may be added).
> > --- END QUOTE ---
> >
> > (Nota bene the reference to any binary string being legal as the value
> > of an NS record  how can that be compatible with subjecting
> > delegations to hostname rules?).
> >
> > Now, if a particular *registry* wants to put additional restrictions
> > on the names it will delegate, then thats another matter, but IMO
> > outside the scope of this draft.
> >
> > In practice, it is quite common to delegate subzones whose only
> > contained leaf RRs are of type SRV and thus *must*, according to the
> > naming conventions of SRV, contain underscores in their FQDNs. As long
> > as those zones contain no hostname records, this is perfectly legal
> > and acceptable, according to current standards, and I see no
> > compelling reason to disparage or mark as defective, the delegation of such domains.
> > Although much rarer, some zones might only contain MX records, and/or
> > some other record type(s) which is/are not considered to represent a
> > hostname, _per_se_.
> 
> Mail domains have exactly the same syntax requirements as hostnames.
> 
> If you see a MX record w/o a LDH owner then it is not being used for a mail domain or it is there in error the same way as A / AAAA without a LDH owner is not being used as a hostname or it is there in error.
> 
> Mark
> 
> >             - Kevin
> >
> > From: DNSOP mailto:dnsop-bounces@ietf.org On Behalf Of Jacques Latour
> > Sent: Tuesday, February 09, 2016 12:00 PM
> > To: Warren Kumari; Darcy Kevin (FCA); dnsop
> > Subject: Re: DNSOP DNS Delegation Requirements
> >
> >
> > Hi,
> >
> >
> >
> > Sent something relating to this on DNS-OARC this morning, but it seems
> > to be legit to have delegation for a _tcp.example.ca, which fails the
> > syntax requirements defined in section  8.1.  Illegal characters MUST
> > NOT be in the domain name".
> >
> >
> >
> > A delegation can happen to a valid domain name, not necessarily a
> > valid hostname.
> >
> >
> >
> > Zonemaster fails on delegations like _sips._tcp.cam.ac.uk
> >
> >
> >
> > # dig _sips._tcp.cam.ac.uk  ns +short
> >
> > rnb-uls2-jabber.phone.cam.ac.uk.
> >
> > cnh-uls2-jabber.phone.cam.ac.uk.
> >
> > wolf-uls2-jabber.phone.cam.ac.uk.
> >
> >
> >
> >
> >
> > Jack
> >
> >
> >
> >
> > From: DNSOP mailto:dnsop-bounces@ietf.org On Behalf Of Warren Kumari
> > Sent: February-08-16 6:51 PM
> > To: Darcy Kevin (FCA); dnsop
> > Subject: Re: DNSOP DNS Delegation Requirements
> >
> >
> > On Mon, Feb 8, 2016 at 3:38 PM Darcy Kevin (FCA)
> > <kevin.darcy@fcagroup.com<mailto:kevin.darcy@fcagroup.com>> wrote:
> > My 2 cents
> >
> > I dont think any DNS RFC should be tied to any specific element of
> > Internet routing technology. Keep it relatively generic and avoid
> > mention of ASes and the like, since this RFC may outlive the use of
> > ASes for Internet routing. Path diversity, link diversity,
> > network-level redundancy, those are all fine.
> >
> > That works too -- RFC 2182, 3.1. ? :-)
> >
> > W
> >
> >
> >
> >
> >                                               - Kevin
> >
> > From: DNSOP
> > mailto:dnsop-bounces@ietf.org<mailto:dnsop-bounces@ietf.org>
> > On Behalf Of Warren Kumari
> > Sent: Monday, February 08, 2016 9:21 AM
> > To: Ralf Weber; Jakob Schlyter
> > Cc: dnsop; Patrik Wallstrm
> > Subject: Re: DNSOP DNS Delegation Requirements
> >
> >
> > On Mon, Feb 8, 2016 at 2:00 AM Ralf Weber
> > <dns@fl1ger.de<mailto:dns@fl1ger.de>> wrote:
> > Moin!
> >
> > On 8 Feb 2016, at 9:57, Jakob Schlyter wrote:
> > > At this point, we're seeking more public comments - on this mailing
> > > list (unless the chairs disapproves), on the our issue tracker 4 or
> > > via email to the authors.
> > Thanks a lot for this work. I certainly would like dnsop to work on
> > this.
> >
> > I would soften some of language and have a question.
> >
> > 5.1. There are use cases where the serial number rarely if ever is the
> > same on all servers and it's only really used inside communication for
> > a given domain and not during resolution. So the only people who know
> > if a divergent serial number is a problem are the domain owners. So we
> > shouldn't tell the public that this is a problem. I would say that a
> > different SOA serial number could be seen as an indicator of an
> > inconsistent setup, but that further analysis is required to really
> > conclude that.
> >
> > 6.2 The name servers SHOULD NOT belong to the same AS I would drop
> > that requirement altogether or make it a MAY. We really should not
> > tell people how to build networks from the DNS world.
> >
> >
> > I think that the SHOULD NOT is actually correct here -- from RFC1771:
> > The use of the term Autonomous System here stresses the fact that,
> > even when multiple IGPs and metrics are used, the administration of an
> > AS appears to other ASs to have a single coherent interior routing
> > plan and presents a consistent picture of what destinations are
> > reachable through it.
> >
> > An AS is a "network", run by one organization. This means that there
> > is a monkey sitting somewhere making all of the routing decisions, and
> > sometimes monkeys screw up. Having a nameserver in an AS that is run
> > by a different monkey means that you need multiple monkeys messing up
> > at the same time0. Also, a significant amount of routing and traffic
> > engineering decisions are made at the AS level ("Meh, I'll local-pref
> > AS 42 down to move this traffic $there") - this means that sometimes
> > folk screw up and accidentally block access to some set of ASes - SIDR
> > may or may not make this more likely :-)
> >
> > This is *not* telling people how to build their network - it is simply
> > *suggesting* that they consider putting some net of nameservers in a
> > network run by someone else.  If you understand the implications of
> > putting all of your nameservers in one AS, good for you. If not,
> > chances are it's safer to put at least some elsewhere...
> >
> > W
> > 0: This (obviously) isn't really true, both ASs could share the same
> > upstream, router, etc. RFC 2182, 3.1. says it best:
> > "They should also be connected to
> > the net via quite diverse paths.  This means that the failure of any
> > one link, or of routing within some segment of the network (such as a
> > service provider) will not make all of the servers unreachable."
> >
> >
> >
> >
> >
> >
> > 8.7 We should point out here that neither an MX nor an A record are
> > required at the zone apex or do you want either of them mandatory?
> >
> > On the SOA settings I do have a question. Would the following SOA be
> > legitimate according to this draft?
> >         localhost. root.localhost. 1115106304 16384 2048 1048576 2560
> > If not why not, as my spot checking didn't find anything that made it
> > invalid.
> >
> > So long
> > -Ralf
> >
> > _______________________________________________
> > DNSOP mailing list
> > DNSOP@ietf.org<mailto:DNSOP@ietf.org>
> > https://www.ietf.org/mailman/listinfo/dnsop
> > _______________________________________________
> > DNSOP mailing list
> > DNSOP@ietf.org<mailto:DNSOP@ietf.org>
> > https://www.ietf.org/mailman/listinfo/dnsop
> 
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email