IETF Logo Mail Archive

Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional-07 vs. sibling glue

Mark Andrews <marka@isc.org> Sat, 15 April 2023 01:01 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6115C14CE4D for <dnsop@ietfa.amsl.com>; Fri, 14 Apr 2023 18:01:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="jZ9NbPj1"; dkim=pass (1024-bit key) header.d=isc.org header.b="Z9JR/Q1Z"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xRZqBMEENcXm for <dnsop@ietfa.amsl.com>; Fri, 14 Apr 2023 18:01:43 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1B3BC14CE5F for <dnsop@ietf.org>; Fri, 14 Apr 2023 18:01:43 -0700 (PDT)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.1.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 524733AB01C; Sat, 15 Apr 2023 01:01:43 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org 524733AB01C
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.1.12
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1681520503; cv=none; b=NatIYamAcibtc8NyQBu9CoATu9TytBoQJNsaNOpD9cYfDgeBDENXIqLOeGiQtrVu15UcvjEsaQFNFfmlsWFPzqrEWMTe0kuMBsFXBS5/eFZzJ3eFmh6pw20kJF1K3HsHPOWyEKB+E3lA+uWasST0vjC6QEybluU7ic8atooKfYw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1681520503; c=relaxed/relaxed; bh=VoVjMJ+QF/rFsD1VsCG4UJy1TBLEHb8ie99yw3LU2Ds=; h=DKIM-Signature:DKIM-Signature:Mime-Version:Subject:From:Date: Message-Id:To; b=rbc/zgraeeSSM1Y4cXMyAmHvB0kVc22QywO9oPFSUJHIKS03POPpG0yKyQbxbjdyFa9RGdFL8EhW+SZ+QpvR6iPgLWZk6xi9AJxY94VBApECChJ5XKApbLvVKFPWtWC/TphUIz1LNBrCEEOvZQnlEM/mnYrwBk3MvfaZHZcQGKE=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org 524733AB01C
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1681520503; bh=vrWHIXm/EAbdHvPPecwb1dkmgSSSeAFLTHtLJ+K2ht0=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=jZ9NbPj19NReP28SseCL67ndG+QaVyDa08Ydrge4+/foYvS5RSde4HuxSOMOhSYSX F3KAoMSlcVGU5H5G3ncYb0uXD/EPE+FiUYHuhJoLVcvZ+S6L4I86C1Y4xGFCoOEcLK cJme53Y08EsfNwemjwuEF1NBi7eO4mNZbz5B41Wg=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id 39A12FE56ED; Sat, 15 Apr 2023 01:01:43 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 0DFB0FE5704; Sat, 15 Apr 2023 01:01:43 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 0DFB0FE5704
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1681520503; bh=VoVjMJ+QF/rFsD1VsCG4UJy1TBLEHb8ie99yw3LU2Ds=; h=Mime-Version:From:Date:Message-Id:To; b=Z9JR/Q1ZFsLI/jwtx+MnWd3dhrwS5nm1vXR7dovvYdWEgLYJx9H4gs1gGlOgPZNVF 3PDsJQK/B6lzUXXUO/UbBJ+ypyX5X2WQ9kaV47+bvEkHs1HCzyesj9AAj5VeMz4hJP hqAb4Qjb9MDpoIs6qVGLSssr2WiIxkrrJ4jLq1yw=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id YRho7U5A2R7c; Sat, 15 Apr 2023 01:01:42 +0000 (UTC)
Received: from smtpclient.apple (n49-187-27-239.bla1.nsw.optusnet.com.au [49.187.27.239]) by zimbrang.isc.org (Postfix) with ESMTPSA id 0F551FE56ED; Sat, 15 Apr 2023 01:01:41 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.500.231\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <CA+9_gVsS3Jwv4kQcLRYBJtPf-R6DjZ0jNGCKojV9nQbbL3B-NA@mail.gmail.com>
Date: Sat, 15 Apr 2023 11:01:28 +1000
Cc: Puneet Sood <puneets=40google.com@dmarc.ietf.org>, dnsop@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <FCEFE347-F90A-474D-AFF3-AE58C5266B3C@isc.org>
References: <166433321065.7033.7906557321120388211@ietfa.amsl.com> <a124badc-7723-904f-3716-6be2a121360@nohats.ca> <Y+7jR1ouKD6w8V49@straasha.imrryr.org> <Y/RXcLmPouKn5DJW@straasha.imrryr.org> <920A70B5-EF6F-463D-B62B-BC29C4C0210D@fl1ger.de> <CAHPuVdW-mA=M+zh1nvRKr12w5wnxG2+bL0Vbc52DwRykare+Ng@mail.gmail.com> <ZCHkFGDj0CrEx3o1@straasha.imrryr.org> <CAHPuVdUY+eUmeWw8x+yfbTSxr4aavzxtuEqKGEoB=gpVhLR1gg@mail.gmail.com> <9743fe5f-dc3b-1241-cd2d-96649939adf6@desec.io> <CAAiTEH-7erdiQrxW1FXcy_zhWxsf60XhPp66yyfWnzhOKPDJmA@mail.gmail.com> <CAHPuVdUCssTsMc=FrKMrDB8N-P98crYe03NKU5-BtV47LgR9UA@mail.gmail.com> <CA+9_gVu4iHdxUTzDRYQ5FceHiauyZGiZLvrTmSQZvZz6ZHi90A@mail.gmail.com> <FA71180D-6042-4EFF-ABB6-EC95FF0969C7@isc.org> <CA+9_gVun=ceg3F0UfSLmWD+qLQdKwn48DhOcP_DMWeFXoK48sw@mail.gmail.com> <CA+9_gVsS3Jwv4kQcLRYBJtPf-R6DjZ0jNGCKojV9nQbbL3B-NA@mail.gmail.com>
To: Puneet Sood <puneets@google.com>
X-Mailer: Apple Mail (2.3731.500.231)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/gm6k1dchKOG6LRgyqGbfL_gqVJY>
Subject: Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional-07 vs. sibling glue
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Apr 2023 01:01:48 -0000

Somehow saying MUST include a SOA record in the negative response
isn’t enough.

3 - Negative Answers from Authoritative Servers

Name servers authoritative for a zone MUST include the SOA record of
the zone in the authority section of the response when reporting an
NXDOMAIN or indicating that no data of the requested type exists.
This is required so that the response may be cached. The TTL of this
record is set from the minimum of the MINIMUM field of the SOA record
and the TTL of the SOA itself, and indicates how long a resolver may
cache the negative answer. The TTL SIG record associated with the
SOA record should also be trimmed in line with the SOA's TTL.

If the containing zone is signed [RFC2065] the SOA and appropriate
NXT and SIG records MUST be added.

6 - Negative answers from the cache

When a server, in answering a query, encounters a cached negative
response it MUST add the cached SOA record to the authority section
of the response with the TTL decremented by the amount of time it was
stored in the cache. This allows the NXDOMAIN / NODATA response to
time out correctly.

> On 15 Apr 2023, at 10:48, Puneet Sood <puneets@google.com> wrote:
> 
> Also the following section (2.2.1 - Special Handling of No Data)
> suggests sending type 2 instead of type 1 responses but is silent
> about type 3 responses.
> 
> On Fri, Apr 14, 2023 at 8:46 PM Puneet Sood <puneets@google.com> wrote:
>> 
>> On Fri, Apr 14, 2023 at 8:26 PM Mark Andrews <marka@isc.org> wrote:
>>> 
>>> RFC 2038 already says add the SOA so negative answers can be cached. The other responses
>>> where to show what was out there so that they where not misinterpreted.
>> I believe you are referring to this sentence? Quote: "The authority
>> section will contain an SOA record, or there will be no NS records
>> there."
>> 
>> That is not how I interpreted those lines. My understanding of the
>> part after the "or" is that a response with an empty ANSWER and AUTH
>> section also indicates NODATA (as confirmed by response type 3).
>> 
>>> I doubt saying
>>> don’t do those old forms will make any difference.  Everything out there has had 25 years
>>> to comply.
>> I understand updating the specs by itself does not fix compliance.
>> However clarifying that "or" would be useful.
>> 
>>> 
>>>> On 15 Apr 2023, at 09:06, Puneet Sood <puneets=40google.com@dmarc.ietf.org> wrote:
>>>> 
>>>> On the topic of authoritative server behavior as seen in the DNS
>>>> responses, a few areas for improvement below (not touching DNSSEC).
>>>> This is written from the perspective of a resolver using the auth
>>>> responses to answer user queries.
>>>> 
>>>> * responding correctly to requests with certain flags, EDNS options.
>>>> This is covered well by RFC 8906. Now we wait for compliance.
>>>> 
>>>> * proper glue
>>>> This I-D clarifies the need to supply *all the glue* and to set TC=1
>>>> correctly. Improve the specification for what to do with sibling or
>>>> cyclic glue. Ideally recommend against publishing and/or depending on
>>>> cyclic, sibling glue.
>>>> 
>>>> * NODATA responses
>>>> RFC 2308 section 2.2 - No Data
>>>> [https://www.rfc-editor.org/rfc/rfc2308#section-2.2] describes three
>>>> different ways an NS response could indicate NODATA. Types 1 and 2
>>>> include a SOA record which is helpful in determining TTLs and start of
>>>> the zone cut (this matters when the same auth server is authoritative
>>>> for consecutive labels in a qname). Type 3 with no SOA while usable by
>>>> resolvers is not very helpful.
>>>> 
>>>> Tightening of the specification to require type 1 or 2 responses for
>>>> NODATA will be beneficial (drop type 3).
>>>> 
>>>> In addition two additional types of responses appear to show up in the
>>>> wild. Tightening the spec likely won't help here.
>>>> Type 4. SOA in Answer section
>>>> Non-compliant but a resolver can kind of figure this out and use it to
>>>> generate a NODATA answer.
>>>> 
>>>> Implementation note: Viktor has done work on this topic so we should
>>>> have some data to share in a few weeks.
>>>> 
>>>> Type 5. NS RRs for the zone in question (no SOA) (type 1 w/o the SOA :()
>>>> Generally treated as LAME.
>>>> 
>>>> Questions for the working group:
>>>> Is there interest in updating existing specifications around glue and
>>>> NODATA responses?
>>>> 
>>>> Are there other related auth response specifications which would
>>>> benefit from updates?
>>>> 
>>>> Thanks for reading.
>>>> 
>>>> -Puneet
>>>> 
>>>> On Tue, Mar 28, 2023 at 9:54 PM Shumon Huque <shuque@gmail.com> wrote:
>>>>> 
>>>>> On Tue, Mar 28, 2023 at 9:51 PM Matthew Pounsett <matt@conundrum.com> wrote:
>>>>>> 
>>>>>> 
>>>>>> On Tue, Mar 28, 2023 at 8:24 AM Peter Thomassen <peter@desec.io> wrote:
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> On 3/28/23 03:14, Shumon Huque wrote:
>>>>>>>> On Tue, Mar 28, 2023 at 3:45 AM Viktor Dukhovni <ietf-dane@dukhovni.org <mailto:ietf-dane@dukhovni.org>> wrote:
>>>>>>>> 
>>>>>>>>   On Wed, Mar 01, 2023 at 04:27:31PM -0500, Shumon Huque wrote:
>>>>>>>>   Can we at least state that domains with cyclic dependencies are a bad
>>>>>>>>   idea, and may not be supported by all resolvers.  In other words, that
>>>>>>>>   the domain owner can't **rely** on the sibling glue recommended to be
>>>>>>>>   sent in this draft to save the day.
>>>>>>>> 
>>>>>>>>   My strong preference is still to delete all reference in the draft to
>>>>>>>>   cyclic dependencies (i.e. not enshrine bad practice).  Which leaves
>>>>>>>>   sibling glue primarily as a performance optimisation, and secondarily
>>>>>>>>   as a last resort when the nameserver IP addresses are wrong or gone
>>>>>>>>   from the authoritative zone (another bad practice).
>>>>>>>> 
>>>>>>>> 
>>>>>>>> Viktor - I've so far not seen many other people speak up in support of your
>>>>>>>> position. I suspect this is because this draft was discussed to death many
>>>>>>>> months ago during long discussion threads on the list, and there is likely
>>>>>>>> already rough consensus for the current content. Personally, I would be ok
>>>>>>>> with adding a statement that configurations involving cyclic dependencies
>>>>>>>> are not recommended, but others will likely have to also speak up in support
>>>>>>>> of this too.
>>>>>>> 
>>>>>>> I support adding such a statement about cyclic dependencies.
>>>>>> 
>>>>>> 
>>>>>> As do I.
>>>>>> 
>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> In addition, I would support saying that data suggests that, while (non-cyclic) glue records may have a benefit in certain cases, they frequently are a source of harm (time-outs), and the trade-off remains unclear.
>>>>>> 
>>>>>> 
>>>>>> I would support this as well.
>>>>>> 
>>>>>> In my anecdotal experience as an operator, I routinely encounter mismatches in sibling glue and child zone NS sets that appear to be due to the glue being forgotten.  My assumption is that, because it's not necessary to operate, when operators fail to update it they don't receive any kind of signal that something is wrong.
>>>>>> 
>>>>>> Viktor's numbers are pretty clear data, though, so nobody should need my anecdotes to be convinced.  While sibling glue may be a useful optimisation in some cases, given how poorly maintained it is it seems to cause more problems than it solves.
>>>>>> 
>>>>> 
>>>>> I'd like to remind folks that the scope of this draft when it was adopted by the working group was very narrow. Mainly to say that 'required' glue must set TC=1 if it doesn't fit into the DNS response payload. That required talking about other types of non-mandatory glue like sibling, but has not proposed to change authoritative server behavior in those areas.
>>>>> 
>>>>> If folks want to deprecate sibling glue entirely, it would be best to write another draft saying that and see if we can get consensus on that.
>>>>> 
>>>>> Shumon.
>>>>> 
>>>>> _______________________________________________
>>>>> DNSOP mailing list
>>>>> DNSOP@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/dnsop
>>>> 
>>>> _______________________________________________
>>>> DNSOP mailing list
>>>> DNSOP@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/dnsop
>>> 
>>> --
>>> Mark Andrews, ISC
>>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>>> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
>>> 
>>> _______________________________________________
>>> DNSOP mailing list
>>> DNSOP@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dnsop

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email