IETF Logo Mail Archive

Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional-07 vs. sibling glue

Puneet Sood <puneets@google.com> Fri, 14 April 2023 23:06 UTC

Return-Path: <puneets@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96902C14CF1F for <dnsop@ietfa.amsl.com>; Fri, 14 Apr 2023 16:06:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.598
X-Spam-Level:
X-Spam-Status: No, score=-17.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fkswawg6rSA7 for <dnsop@ietfa.amsl.com>; Fri, 14 Apr 2023 16:06:50 -0700 (PDT)
Received: from mail-qt1-x835.google.com (mail-qt1-x835.google.com [IPv6:2607:f8b0:4864:20::835]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63BDAC14CF12 for <dnsop@ietf.org>; Fri, 14 Apr 2023 16:06:50 -0700 (PDT)
Received: by mail-qt1-x835.google.com with SMTP id d75a77b69052e-3eb39797281so172111cf.0 for <dnsop@ietf.org>; Fri, 14 Apr 2023 16:06:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1681513609; x=1684105609; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=JiiEpsWnYc/npikhJKYpt2UJXaC19abxikrDBTmmhtI=; b=3OwVi4MB4jAjb3mRG3VCQQPSKhv4iyXXnzXnT5OtmK+apE+PyukWw3nwHLNB85V73T AW4EGf/KrxtrAnAMKbNrtd/jTTRISmYGMTBH6pFVnb2KXMw5YwUmA5I/87fkDsy0RKEW k2ICY04+R3DloPllV82H5F7QUkXNZX+XR7w71Ti/+MU+zeVVqE3XF/mRznD38specp0W mjcYJj/RlbOiBpAHZUVXV5zrt5+0dWnk8o9d3HtvFaKa1/Oqjx7S4viBKiN0RYDUznC2 QmYFXuFYBbiYFSbQUUsTH1AphQ/eg7dJTOnYzFbpmfsFI2qQn4dtCMJ5brp/33RLCXCS oWng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681513609; x=1684105609; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=JiiEpsWnYc/npikhJKYpt2UJXaC19abxikrDBTmmhtI=; b=D7wmnIpa3HbPHkAWo9iOmrJ4cSJLVUEOYLoZlBKtOwB8H/qUZOavQDBRB0IY9V6wzb BRqiGK90JPXQU5dM8UTRb/pFvmbZYjr/Hq8Tu/3DwKkRgl96JOZS0Wv39CC0tC9tXxOS Wkfq6DWyRTdmQjRBBniEJ/aNz+x9V471m/2TiXdDQKWNm45k+L1vEx96/udiqWdU65u8 C0CsqjcTkJ/rMqfGtAf7NfnuUsjeaTO8gJp66ez75mljWvBrsesG+NN1iG7pn5ac62i1 YKuJ39LmtoFEs2daMGfb7PTVR+zKIj6AxCaHU5JnEUfn/iaScK07ru8oF+whYW81pIVb NUeQ==
X-Gm-Message-State: AAQBX9fdKTjDqaW6zmLZxcnDTXMieWXPCfG78iheIORoPi1t4KyQRui0 ocsVwWJeIEUnidFU1bYftZDPFqeb2WpG1wWQ6ah6Xxk4x5xumhYkE38LoQ==
X-Google-Smtp-Source: AKy350bXYOLvYxQKzJIOLNP/7JNYA93ClpSZJZVNqCNFy2rHxugpOgSEJYLd4pc2ek1rlmL6xndr87xoHIA71ep8rpY=
X-Received: by 2002:ac8:578e:0:b0:3b9:f696:c757 with SMTP id v14-20020ac8578e000000b003b9f696c757mr496302qta.8.1681513609329; Fri, 14 Apr 2023 16:06:49 -0700 (PDT)
MIME-Version: 1.0
References: <166433321065.7033.7906557321120388211@ietfa.amsl.com> <a124badc-7723-904f-3716-6be2a121360@nohats.ca> <Y+7jR1ouKD6w8V49@straasha.imrryr.org> <Y/RXcLmPouKn5DJW@straasha.imrryr.org> <920A70B5-EF6F-463D-B62B-BC29C4C0210D@fl1ger.de> <CAHPuVdW-mA=M+zh1nvRKr12w5wnxG2+bL0Vbc52DwRykare+Ng@mail.gmail.com> <ZCHkFGDj0CrEx3o1@straasha.imrryr.org> <CAHPuVdUY+eUmeWw8x+yfbTSxr4aavzxtuEqKGEoB=gpVhLR1gg@mail.gmail.com> <9743fe5f-dc3b-1241-cd2d-96649939adf6@desec.io> <CAAiTEH-7erdiQrxW1FXcy_zhWxsf60XhPp66yyfWnzhOKPDJmA@mail.gmail.com> <CAHPuVdUCssTsMc=FrKMrDB8N-P98crYe03NKU5-BtV47LgR9UA@mail.gmail.com>
In-Reply-To: <CAHPuVdUCssTsMc=FrKMrDB8N-P98crYe03NKU5-BtV47LgR9UA@mail.gmail.com>
From: Puneet Sood <puneets@google.com>
Date: Fri, 14 Apr 2023 19:06:30 -0400
Message-ID: <CA+9_gVu4iHdxUTzDRYQ5FceHiauyZGiZLvrTmSQZvZz6ZHi90A@mail.gmail.com>
To: Shumon Huque <shuque@gmail.com>, dnsop@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/cXkFciPrtXy1bEP4zlSBTQabpJA>
Subject: Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional-07 vs. sibling glue
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Apr 2023 23:06:54 -0000

On the topic of authoritative server behavior as seen in the DNS
responses, a few areas for improvement below (not touching DNSSEC).
This is written from the perspective of a resolver using the auth
responses to answer user queries.

* responding correctly to requests with certain flags, EDNS options.
This is covered well by RFC 8906. Now we wait for compliance.

* proper glue
This I-D clarifies the need to supply *all the glue* and to set TC=1
correctly. Improve the specification for what to do with sibling or
cyclic glue. Ideally recommend against publishing and/or depending on
cyclic, sibling glue.

* NODATA responses
RFC 2308 section 2.2 - No Data
[https://www.rfc-editor.org/rfc/rfc2308#section-2.2] describes three
different ways an NS response could indicate NODATA. Types 1 and 2
include a SOA record which is helpful in determining TTLs and start of
the zone cut (this matters when the same auth server is authoritative
for consecutive labels in a qname). Type 3 with no SOA while usable by
resolvers is not very helpful.

Tightening of the specification to require type 1 or 2 responses for
NODATA will be beneficial (drop type 3).

In addition two additional types of responses appear to show up in the
wild. Tightening the spec likely won't help here.
Type 4. SOA in Answer section
Non-compliant but a resolver can kind of figure this out and use it to
generate a NODATA answer.

Implementation note: Viktor has done work on this topic so we should
have some data to share in a few weeks.

Type 5. NS RRs for the zone in question (no SOA) (type 1 w/o the SOA :()
Generally treated as LAME.

Questions for the working group:
Is there interest in updating existing specifications around glue and
NODATA responses?

Are there other related auth response specifications which would
benefit from updates?

Thanks for reading.

-Puneet

On Tue, Mar 28, 2023 at 9:54 PM Shumon Huque <shuque@gmail.com> wrote:
>
> On Tue, Mar 28, 2023 at 9:51 PM Matthew Pounsett <matt@conundrum.com> wrote:
>>
>>
>> On Tue, Mar 28, 2023 at 8:24 AM Peter Thomassen <peter@desec.io> wrote:
>>>
>>>
>>>
>>> On 3/28/23 03:14, Shumon Huque wrote:
>>> > On Tue, Mar 28, 2023 at 3:45 AM Viktor Dukhovni <ietf-dane@dukhovni.org <mailto:ietf-dane@dukhovni.org>> wrote:
>>> >
>>> >     On Wed, Mar 01, 2023 at 04:27:31PM -0500, Shumon Huque wrote:
>>> >     Can we at least state that domains with cyclic dependencies are a bad
>>> >     idea, and may not be supported by all resolvers.  In other words, that
>>> >     the domain owner can't **rely** on the sibling glue recommended to be
>>> >     sent in this draft to save the day.
>>> >
>>> >     My strong preference is still to delete all reference in the draft to
>>> >     cyclic dependencies (i.e. not enshrine bad practice).  Which leaves
>>> >     sibling glue primarily as a performance optimisation, and secondarily
>>> >     as a last resort when the nameserver IP addresses are wrong or gone
>>> >     from the authoritative zone (another bad practice).
>>> >
>>> >
>>> > Viktor - I've so far not seen many other people speak up in support of your
>>> > position. I suspect this is because this draft was discussed to death many
>>> > months ago during long discussion threads on the list, and there is likely
>>> > already rough consensus for the current content. Personally, I would be ok
>>> > with adding a statement that configurations involving cyclic dependencies
>>> > are not recommended, but others will likely have to also speak up in support
>>> > of this too.
>>>
>>> I support adding such a statement about cyclic dependencies.
>>
>>
>> As do I.
>>
>>
>>>
>>>
>>> In addition, I would support saying that data suggests that, while (non-cyclic) glue records may have a benefit in certain cases, they frequently are a source of harm (time-outs), and the trade-off remains unclear.
>>
>>
>> I would support this as well.
>>
>> In my anecdotal experience as an operator, I routinely encounter mismatches in sibling glue and child zone NS sets that appear to be due to the glue being forgotten.  My assumption is that, because it's not necessary to operate, when operators fail to update it they don't receive any kind of signal that something is wrong.
>>
>> Viktor's numbers are pretty clear data, though, so nobody should need my anecdotes to be convinced.  While sibling glue may be a useful optimisation in some cases, given how poorly maintained it is it seems to cause more problems than it solves.
>>
>
> I'd like to remind folks that the scope of this draft when it was adopted by the working group was very narrow. Mainly to say that 'required' glue must set TC=1 if it doesn't fit into the DNS response payload. That required talking about other types of non-mandatory glue like sibling, but has not proposed to change authoritative server behavior in those areas.
>
> If folks want to deprecate sibling glue entirely, it would be best to write another draft saying that and see if we can get consensus on that.
>
> Shumon.
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email