Re: [DNSOP] Delegation into the interior of a zone?

Grant Taylor <gtaylor@tnetconsulting.net> Fri, 28 December 2018 00:27 UTC

Return-Path: <gtaylor@tnetconsulting.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72B9012867A for <dnsop@ietfa.amsl.com>; Thu, 27 Dec 2018 16:27:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.102
X-Spam-Level:
X-Spam-Status: No, score=-0.102 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=tnetconsulting.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ueEYjQ_jGX1Q for <dnsop@ietfa.amsl.com>; Thu, 27 Dec 2018 16:27:02 -0800 (PST)
Received: from tncsrv06.tnetconsulting.net (tncsrv06.tnetconsulting.net [IPv6:2600:3c00:e000:1e9::8849]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E1E81277D2 for <dnsop@ietf.org>; Thu, 27 Dec 2018 16:27:01 -0800 (PST)
Received: from Contact-TNet-Consulting-Abuse-for-assistance by tncsrv06.tnetconsulting.net (8.15.2/8.15.2/Debian-3) with ESMTPSA id wBS0QxFl003052 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for <dnsop@ietf.org>; Thu, 27 Dec 2018 18:27:01 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=tnetconsulting.net; s=2015; t=1545956821; bh=VsxXX6pn12nDtcd8vqnF9OzxffhkBIab3RYQlmRP9Nc=; h=Subject:To:References:From:Message-ID:Date:User-Agent: MIME-Version:In-Reply-To:Content-Type:Cc:Content-Disposition: Content-Language:Content-Transfer-Encoding:Content-Type:Date:From: In-Reply-To:Message-ID:MIME-Version:References:Reply-To: Resent-Date:Resent-From:Resent-To:Resent-Cc:Sender:Subject:To: User-Agent; b=nHCbYpgvRd4OW9Giz6A6/uMubAN+Mg0oqYlA7rPUZ3XteHKRYe98hnx+0vIUl3bKK sgdiCpLqpJpDKlfIzB6KV5XFASCtlWSwhy7yDc6fIFs5MWaydOgjFK7hobqGaFlkLW 3jagq0b8oZPvGkmYVFA/BTzsP7pZCfnCeZHp7Wgk=
To: dnsop@ietf.org
References: <20181227192639.21372200BFBF3A@ary.qy> <5C252F32.50503@redbarn.org> <alpine.OSX.2.21.1812271528140.66959@ary.qy>
From: Grant Taylor <gtaylor@tnetconsulting.net>
Organization: TNet Consulting
Message-ID: <2f50b5bd-ea7d-8009-f207-cce3cddf3bf5@spamtrap.tnetconsulting.net>
Date: Thu, 27 Dec 2018 17:27:00 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0
MIME-Version: 1.0
In-Reply-To: <alpine.OSX.2.21.1812271528140.66959@ary.qy>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms010807090600030805070606"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/bNyKLkKhKQ3miG1onaRElNACV30>
Subject: Re: [DNSOP] Delegation into the interior of a zone?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Dec 2018 00:27:05 -0000

On 12/27/18 1:29 PM, John R Levine wrote:
> He thinks $GENERATE confuses people.

No, $GENERATE is not why he, *I*, prefer to use NS over CNAME delegation.

I listed out multiple (2 ~ 3) manually as an example instead of using 
$GENERATE purely to simplify the example.  I've run across many people 
that don't know what $GENERATE is, particularly if their experience 
comes from somewhere other than BIND.

So, I simply list out the discrete lines that $GENERATE would produce. 
I think it removes a variable from an equation and simplifies things.

The use of $GENERATE or not is independent of CNAME vs NS delegation.

Besides, $GENERATE happily works with CNAME as well as it does NS records.

$GENERATE 1-4 $ CNAME $.bob.example.net.
$GENERATE 5-8 $ NS ns1.example.com.

Both work perfectly fine.  named-compilezone produces the expected lines.

1.localhost.  604800  IN  CNAME  1.bob.example.net.
2.localhost.  604800  IN  CNAME  2.bob.example.net.
3.localhost.  604800  IN  CNAME  3.bob.example.net.
4.localhost.  604800  IN  CNAME  4.bob.example.net.
5.localhost.  604800  IN  NS     ns1.example.com.
6.localhost.  604800  IN  NS     ns1.example.com.
7.localhost.  604800  IN  NS     ns1.example.com.
8.localhost.  604800  IN  NS     ns1.example.com.

Which of the two methods above is easier (or poses fewer questions) to 
understand by someone who's not familiar with BIND, much less $GENERATE?

> Don't shoot, I'm just the messenger.

I can shoot the messenger with a Nerf gun for reporting the wrong 
message.  Or are we playing a game of telephone?



-- 
Grant. . . .
unix || die