IETF Logo Mail Archive

Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional-07 vs. sibling glue

Puneet Sood <puneets@google.com> Fri, 14 April 2023 23:04 UTC

Return-Path: <puneets@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C2B8C1516E9 for <dnsop@ietfa.amsl.com>; Fri, 14 Apr 2023 16:04:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.598
X-Spam-Level:
X-Spam-Status: No, score=-17.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4ZckeSGunt0N for <dnsop@ietfa.amsl.com>; Fri, 14 Apr 2023 16:04:35 -0700 (PDT)
Received: from mail-qt1-x82c.google.com (mail-qt1-x82c.google.com [IPv6:2607:f8b0:4864:20::82c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65DE0C14CF1F for <dnsop@ietf.org>; Fri, 14 Apr 2023 16:04:35 -0700 (PDT)
Received: by mail-qt1-x82c.google.com with SMTP id d75a77b69052e-3e0965f70ecso774731cf.0 for <dnsop@ietf.org>; Fri, 14 Apr 2023 16:04:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1681513474; x=1684105474; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=9F2Vm3CQ6DPcY/hBsUohVxERtzPHbCFWrikjerYhiiQ=; b=ZE17TtmIFGX1dm2qJM7Kau7pPv1qgib7oUyRsBUOPUoRIfUMbWjDqp/LXA9yr5pXCW 2CM9k4Rot85vvDRV0egZ9Rxgc55kokx8+L07my1jGvn2p1NIRJFamSpb9LaGJJG4AmPE /YMyC23b9Zb7zso7bKFh9eixgnlHnrUTAf1GC2uju/FkvcnzvXWSSh70wd/L2tM3SQTt btOxjeP0BsvXX2J37EmqK1X4d+wWHNSZ2qnNHUVbLAnwnISqE5BUoTRaz/1QSrrh+yzM IQ9FJOMeVCel3M77YCLreqe2mDoInQBmM+3yCsZdgDjfUxRIjEOnfuWACTJXlYgWW/3D S5vw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681513474; x=1684105474; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=9F2Vm3CQ6DPcY/hBsUohVxERtzPHbCFWrikjerYhiiQ=; b=IKzXiMRWc97/2++Bc09wzkn6jXRwboUkFPvIq3xTIThFYZFhG29Qpn36bYGk6oISpM mg5MHwoqJ8JpHBBqBelVHKo0qQDZo3iXFsPM1sTXni1lqLVWXBe2uDQ+jE+Tkc0Ci28H 0X734jVUPLAXQmTsZttD3COEnkMG0iQ8uzDVKdtbbU5wK1vLn2GuOPTcWUUAjHySur8Y vthNGgzr8O7Mas//V8Gx7mT3QjLcyT/8VVO38agFS+b2EBpp0w8a5MQH/Cs8Db0iqfN5 OLtMxozi034fB6a9GriuebGfySwTBo0RYtA5XFzGIz7i5jYqm6X6ArjxjmwXItyMKRRW EurA==
X-Gm-Message-State: AAQBX9f0yTCd3ZbFowF7eOT8TchpIsERFWtki0Ea5NgCaKuEYRoLXDZJ YIAURp6kt/fCQ8GnVIWpIacUvfoTmM0dToh56373HQ==
X-Google-Smtp-Source: AKy350YOk4LyPDSoRecrDhaidXzdqxbD9zB2L6MtQrs4CrG1IINX9cixmqgVx6+V3RmgaDeGHGcRsGMwahaeUersnxs=
X-Received: by 2002:a05:622a:1756:b0:3df:6cbb:c76 with SMTP id l22-20020a05622a175600b003df6cbb0c76mr70989qtk.13.1681513474013; Fri, 14 Apr 2023 16:04:34 -0700 (PDT)
MIME-Version: 1.0
References: <166433321065.7033.7906557321120388211@ietfa.amsl.com> <a124badc-7723-904f-3716-6be2a121360@nohats.ca> <Y+7jR1ouKD6w8V49@straasha.imrryr.org> <Y/RXcLmPouKn5DJW@straasha.imrryr.org> <920A70B5-EF6F-463D-B62B-BC29C4C0210D@fl1ger.de> <CAHPuVdW-mA=M+zh1nvRKr12w5wnxG2+bL0Vbc52DwRykare+Ng@mail.gmail.com> <ZCHkFGDj0CrEx3o1@straasha.imrryr.org> <CAHPuVdUY+eUmeWw8x+yfbTSxr4aavzxtuEqKGEoB=gpVhLR1gg@mail.gmail.com> <9743fe5f-dc3b-1241-cd2d-96649939adf6@desec.io> <CAAiTEH-7erdiQrxW1FXcy_zhWxsf60XhPp66yyfWnzhOKPDJmA@mail.gmail.com> <CAHPuVdUCssTsMc=FrKMrDB8N-P98crYe03NKU5-BtV47LgR9UA@mail.gmail.com>
In-Reply-To: <CAHPuVdUCssTsMc=FrKMrDB8N-P98crYe03NKU5-BtV47LgR9UA@mail.gmail.com>
From: Puneet Sood <puneets@google.com>
Date: Fri, 14 Apr 2023 19:04:14 -0400
Message-ID: <CA+9_gVsQjar+y8ntT7a+dkKYEGntNrgyv1gMUfQmEpekXxhGNw@mail.gmail.com>
To: Shumon Huque <shuque@gmail.com>
Cc: dnsop@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/dsIM7KpnoTCgQBR9eppVMBB3Nxk>
Subject: Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional-07 vs. sibling glue
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Apr 2023 23:04:36 -0000

I wanted to respond to this thread earlier, so apologies in advance
for late posting and if this is a no-op at this point. Me getting
confused about the last call for this draft
(https://datatracker.ietf.org/doc/draft-ietf-dnsop-glue-is-not-optional/)
and https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc8499bis/
being combined didn't help either.

The draft does not contain any reference to the rfc8499bis I-D or to
RFC 8499. It would be helpful to have a reference.

On Tue, Mar 28, 2023 at 9:54 PM Shumon Huque <shuque@gmail.com> wrote:
>
> On Tue, Mar 28, 2023 at 9:51 PM Matthew Pounsett <matt@conundrum.com> wrote:
>>
>>
>> On Tue, Mar 28, 2023 at 8:24 AM Peter Thomassen <peter@desec.io> wrote:
>>>
>>>
>>>
>>> On 3/28/23 03:14, Shumon Huque wrote:
>>> > On Tue, Mar 28, 2023 at 3:45 AM Viktor Dukhovni <ietf-dane@dukhovni.org <mailto:ietf-dane@dukhovni.org>> wrote:
>>> >
>>> >     On Wed, Mar 01, 2023 at 04:27:31PM -0500, Shumon Huque wrote:
>>> >     Can we at least state that domains with cyclic dependencies are a bad
>>> >     idea, and may not be supported by all resolvers.  In other words, that
>>> >     the domain owner can't **rely** on the sibling glue recommended to be
>>> >     sent in this draft to save the day.
>>> >
>>> >     My strong preference is still to delete all reference in the draft to
>>> >     cyclic dependencies (i.e. not enshrine bad practice).  Which leaves
>>> >     sibling glue primarily as a performance optimisation, and secondarily
>>> >     as a last resort when the nameserver IP addresses are wrong or gone
>>> >     from the authoritative zone (another bad practice).
>>> >
>>> >
>>> > Viktor - I've so far not seen many other people speak up in support of your
>>> > position. I suspect this is because this draft was discussed to death many
>>> > months ago during long discussion threads on the list, and there is likely
>>> > already rough consensus for the current content. Personally, I would be ok
>>> > with adding a statement that configurations involving cyclic dependencies
>>> > are not recommended, but others will likely have to also speak up in support
>>> > of this too.
>>>
>>> I support adding such a statement about cyclic dependencies.
>>
>>
>> As do I.
>>
>>
>>>
>>>
>>> In addition, I would support saying that data suggests that, while (non-cyclic) glue records may have a benefit in certain cases, they frequently are a source of harm (time-outs), and the trade-off remains unclear.
>>
>>
>> I would support this as well.
>>
>> In my anecdotal experience as an operator, I routinely encounter mismatches in sibling glue and child zone NS sets that appear to be due to the glue being forgotten.  My assumption is that, because it's not necessary to operate, when operators fail to update it they don't receive any kind of signal that something is wrong.
>>
>> Viktor's numbers are pretty clear data, though, so nobody should need my anecdotes to be convinced.  While sibling glue may be a useful optimisation in some cases, given how poorly maintained it is it seems to cause more problems than it solves.

If it's not too late in the process:
Given the numbers presented upthread, at a minimum could we have one
sentence in section 2.3 Glue Cyclic Sibling Domain Name Server,
discouraging implementers from doing this?

>>
>
> I'd like to remind folks that the scope of this draft when it was adopted by the working group was very narrow. Mainly to say that 'required' glue must set TC=1 if it doesn't fit into the DNS response payload. That required talking about other types of non-mandatory glue like sibling, but has not proposed to change authoritative server behavior in those areas.
>
> If folks want to deprecate sibling glue entirely, it would be best to write another draft saying that and see if we can get consensus on that.

This is a reasonable position. Sending a separate email.

-Puneet

>
> Shumon.
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email