IETF Logo Mail Archive

Re: [DNSOP] DNS Delegation Requirements

"Darcy Kevin (FCA)" <kevin.darcy@fcagroup.com> Mon, 08 February 2016 23:38 UTC

Return-Path: <kevin.darcy@fcagroup.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 037961B3D75 for <dnsop@ietfa.amsl.com>; Mon, 8 Feb 2016 15:38:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.12
X-Spam-Level:
X-Spam-Status: No, score=-1.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2m2wg8_e_pR4 for <dnsop@ietfa.amsl.com>; Mon, 8 Feb 2016 15:38:00 -0800 (PST)
Received: from odbmap08.extra.chrysler.com (odbmap08.out.extra.chrysler.com [129.9.107.38]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99A961B3D5C for <dnsop@ietf.org>; Mon, 8 Feb 2016 15:38:00 -0800 (PST)
Received: from odbmap09.oddc.chrysler.com (Unknown_Domain [151.171.137.34]) by odbmap08.extra.chrysler.com (Symantec Messaging Gateway) with SMTP id 37.F8.14941.6D629B65; Mon, 8 Feb 2016 18:37:58 -0500 (EST)
X-AuditID: 81096b24-f795b6d000003a5d-72-56b926d6a779
Received: from MXPA4CHRW.fgremc.it (Unknown_Domain [151.171.20.20]) by odbmap09.oddc.chrysler.com (Symantec Messaging Gateway) with SMTP id 86.14.08139.6D629B65; Mon, 8 Feb 2016 18:37:58 -0500 (EST)
Received: from mxph2chrw.fgremc.it (151.171.20.46) by MXPA4CHRW.fgremc.it (151.171.20.20) with Microsoft SMTP Server (TLS) id 15.0.1156.6; Mon, 8 Feb 2016 18:37:58 -0500
Received: from mxph4chrw.fgremc.it (151.171.20.48) by mxph2chrw.fgremc.it (151.171.20.46) with Microsoft SMTP Server (TLS) id 15.0.1156.6; Mon, 8 Feb 2016 18:37:57 -0500
Received: from mxph4chrw.fgremc.it ([fe80::cc0c:cb4f:1b3f:2701]) by mxph4chrw.fgremc.it ([fe80::cc0c:cb4f:1b3f:2701%18]) with mapi id 15.00.1156.000; Mon, 8 Feb 2016 18:37:57 -0500
From: "Darcy Kevin (FCA)" <kevin.darcy@fcagroup.com>
To: dnsop <dnsop@ietf.org>
Thread-Topic: [DNSOP] DNS Delegation Requirements
Thread-Index: AQHRYk7Ej91R1ae/DkSoWf1yAzUWN58iPk2AgABI0wCAAAA7kA==
Date: Mon, 08 Feb 2016 23:37:57 +0000
Message-ID: <e915c2c6f1b54b0188ee90eb753fbcb7@mxph4chrw.fgremc.it>
References: <3A6EF5A0-928C-4F10-BD68-265DAE87F9A8@kirei.se> <4C7298C1-4331-4953-881F-89C7BB3FED39@fl1ger.de> <CAHw9_iKDcqzW6NQkwyBh933=apjAqCDLKF7O60D5fmLm+PgLkg@mail.gmail.com>
In-Reply-To: <CAHw9_iKDcqzW6NQkwyBh933=apjAqCDLKF7O60D5fmLm+PgLkg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [151.171.20.201]
Content-Type: multipart/alternative; boundary="_000_e915c2c6f1b54b0188ee90eb753fbcb7mxph4chrwfgremcit_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrPIsWRmVeSWpSXmKPExsUyfXWnku41tZ1hBjfnKlrcfXOZxYHRY8mS n0wBjFFcNimpOZllqUX6dglcGUcObmUsWDeBseLU+jksDYz7ehi7GDk5JARMJO5OamaHsMUk Ltxbz9bFyMUhJHCJUeLjldesMEUHdq1nh0icZJQ482ATI4SzllFi1syPCM6SP5OhynYwSry9 8JsFpJ8NqH/hlbvMILaIgJTEs1mPwOLCAgYS629eZoOIG0q8WvsaynaSOHb9EROIzSKgIvG3 +zRYnBco/vTDSlaIBVsZJeZOvgl2IKdAoMT9PdPBbEagL76fWgPWzCwgLnHryXwmiCcEJJbs Oc8MYYtKvHz8D+o5A4mtS/exQNhKEt9erWGD6M2UuLDhFhPEYkGJkzOfgNUICahK9K99CQ2x qRwSPZNlJzBKz0KybhaS9llI2mcxcgDFNSXW79KHKFGUmNL9kB3C1pBonTOXHVl8ASP7Kkbp /JSk3MQCAwu91IqSokS95IyiyuKc1CK95PzcTYzAFNDIma2yg3HNPMtDjAIcjEo8vLxKO8OE WBPLiitzDzFKc7AoifPmHN0SJiSQnliSmp2aWpBaFF9UmpNafIiRiYNTqoGxY8P5FWdevHOY tOtfQKLOCb2bDas1l9qktojWcX1lT0jaFlOX36X/OYjrYqSe+vyXwmvb1gf4MR+O1Izf4HU/ ddGBpm/KhVm1Jw6c0VrY3Hy+otErr5Xtg6LUpK8i83Jf7KvVKi/mO/z0geZRhuUP9W9vXnye l9fpjMiuAxErlO8eE/sT/NFdiaU4I9FQi7moOBEAK9NRGeICAAA=
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrNKsWRmVeSWpSXmKPExsUyfbWIiO41tZ1hBq2/BC3uvrnM4sDosWTJ T6YAxigum5TUnMyy1CJ9uwSujCMHtzIWrJvAWHFq/RyWBsZ9PYxdjJwcEgImEgd2rWeHsMUk Ltxbz9bFyMUhJHCSUeLMg02MEM5aRolZMz8iOEv+TGaHcHYwSry98JsFpJ8NaNbCK3eZQWwR ASmJZ7MegcWFBQwk1t+8zAYRN5R4tfY1lO0kcez6IyYQm0VAReJv92mwOC9Q/OmHlawQC7Yy SsydfJMVJMEpEChxf890MJsR6Njvp9aANTMLiEvcejKfCeIJAYkle84zQ9iiEi8f/2OFsA0k ti7dxwJhK0l8e7WGDaI3U+LChltMEIsFJU7OfAJWIySgKtG/9iX7BKDPkayYhaRlFpKWWYwc QHFNifW79CFKFCWmdD9kh7A1JFrnzGVHFl/AyL6KUSo/JSk3scDAUi8/JSVZLzmjqLI4J7VI Lzk/dxMjOG47FXcwNi6yPMQowMGoxMO7R3FnmBBrYllxZe4hRkkOJiVR3nRJoBBfUn5KZUZi cUZ8UWlOavEhRgkOZiURXpuXO8KEeFMSK6tSi/JhUtIcLErivCoFDoFCAumJJanZqakFqUUw WRkODiUJ3t2qQEMFi1LTUyvSMnNKENJMHJwgw3mAhrMB05wQb3FBYm5xZjpE/hSjpJQ4bxxI swBIIqM0D673FaM40AvCvH9AsjzAFAzX9QpoIBPQwBX/toEMLElESEk1MGZ8sbfZW3j9jXzV 0SJba3Mv3X8LLmx1jVz5NXCV8wEvhwfVEUsrNvIHNfY/OmvYybq1QnFZX+uZeQXmrBe0fhS4 67usTOc9NPmTs9FEuWWSPZqfTEQyd2nufL/j6Rvvnxl/P7C/W/6r6uzi5+ysG7fXzo8pruBW SDmqnm5qHLZSMLjz9pMDIkosxRmJhlrMRcWJAKywFv5+AwAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/cEDY4Cictn9LNBNtXasC_i53iyA>
Subject: Re: [DNSOP] DNS Delegation Requirements
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Feb 2016 23:38:03 -0000

My 2 cents…

I don’t think any DNS RFC should be tied to any specific element of Internet routing technology. Keep it relatively generic and avoid mention of “ASes” and the like, since this RFC may outlive the use of ASes for Internet routing. ”Path diversity”, “link diversity”, “network-level redundancy”, those are all fine.

                                                                                                                        - Kevin

From: DNSOP [mailto:dnsop-bounces@ietf.org] On Behalf Of Warren Kumari
Sent: Monday, February 08, 2016 9:21 AM
To: Ralf Weber; Jakob Schlyter
Cc: dnsop; Patrik Wallström
Subject: Re: [DNSOP] DNS Delegation Requirements


On Mon, Feb 8, 2016 at 2:00 AM Ralf Weber <dns@fl1ger.de<mailto:dns@fl1ger.de>> wrote:
Moin!

On 8 Feb 2016, at 9:57, Jakob Schlyter wrote:
> At this point, we're seeking more public comments - on this mailing
> list (unless the chairs disapproves), on the our issue tracker [4] or
> via email to the authors.
Thanks a lot for this work. I certainly would like dnsop to work on
this.

I would soften some of language and have a question.

5.1. There are use cases where the serial number rarely if ever is the
same on all servers and it's only really used inside communication for a
given domain and not during resolution. So the only people who know if a
divergent serial number is a problem are the domain owners. So we
shouldn't tell the public that this is a problem. I would say that a
different SOA serial number could be seen as an indicator of an
inconsistent setup, but that further analysis is required to really
conclude that.

6.2 The name servers SHOULD NOT belong to the same AS
I would drop that requirement altogether or make it a MAY. We really
should not tell people how to build networks from the DNS world.


I think that the SHOULD NOT is actually correct here -- from RFC1771: The use of the term Autonomous System
here stresses the fact that, even when multiple IGPs and metrics are
used, the administration of an AS appears to other ASs to have a
single coherent interior routing plan and presents a consistent
picture of what destinations are reachable through it.

An AS is a "network", run by one organization. This means that there is a monkey sitting somewhere making all of the routing decisions, and sometimes monkeys screw up. Having a nameserver in an AS that is run by a different monkey means that you need multiple monkeys messing up at the same time[0]. Also, a significant amount of routing and traffic engineering decisions are made at the AS level ("Meh, I'll local-pref AS 42 down to move this traffic $there") - this means that sometimes folk screw up and accidentally block access to some set of ASes - SIDR may or may not make this more likely :-)

This is *not* telling people how to build their network - it is simply *suggesting* that they consider putting some net of nameservers in a network run by someone else.  If you understand the implications of putting all of your nameservers in one AS, good for you. If not, chances are it's safer to put at least some elsewhere...

W
[0]: This (obviously) isn't really true, both ASs could share the same upstream, router, etc. RFC 2182, 3.1. says it best:
"They should also be connected to
the net via quite diverse paths.  This means that the failure of any
one link, or of routing within some segment of the network (such as a
service provider) will not make all of the servers unreachable."






8.7 We should point out here that neither an MX nor an A record are
required at the zone apex or do you want either of them mandatory?

On the SOA settings I do have a question. Would the following SOA be
legitimate according to this draft?
        localhost. root.localhost. 1115106304 16384 2048 1048576 2560
If not why not, as my spot checking didn't find anything that made it
invalid.

So long
-Ralf

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org<mailto:DNSOP@ietf.org>
https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email