IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-glue-is-not-optional-03.txt

Hugo Salgado <hsalgado@nic.cl> Fri, 14 January 2022 17:08 UTC

Return-Path: <hsalgado@nic.cl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A1DA3A2AB6 for <dnsop@ietfa.amsl.com>; Fri, 14 Jan 2022 09:08:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IWz3ly8MZFCk for <dnsop@ietfa.amsl.com>; Fri, 14 Jan 2022 09:08:21 -0800 (PST)
Received: from mail.nic.cl (mail.nic.cl [IPv6:2001:1398:1::6008]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFEFA3A2AB9 for <dnsop@ietf.org>; Fri, 14 Jan 2022 09:08:20 -0800 (PST)
Received: from mail.nic.cl (localhost [127.0.0.1]) by mail.nic.cl (Postfix) with ESMTP id DA156195D6439; Fri, 14 Jan 2022 14:08:14 -0300 (-03)
Received: from pepino (unknown [IPv6:2800:150:126:1e44:6a34:e816:8127:2b7a]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.nic.cl (Postfix) with ESMTPSA id B8254195D6435; Fri, 14 Jan 2022 14:08:14 -0300 (-03)
Date: Fri, 14 Jan 2022 14:08:13 -0300
From: Hugo Salgado <hsalgado@nic.cl>
To: Paul Wouters <paul@nohats.ca>
Cc: Paul Vixie <paul=40redbarn.org@dmarc.ietf.org>, dnsop <dnsop@ietf.org>
Message-ID: <20220114170813.GA16480@pepino>
References: <c775a81b-d892-23ab-4954-4852559f66d1@redbarn.org> <86BD4B9B-609B-479E-9C32-BEC9E3D5EF68@nohats.ca>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="Nq2Wo0NMKNjxTN9z"
Content-Disposition: inline
In-Reply-To: <86BD4B9B-609B-479E-9C32-BEC9E3D5EF68@nohats.ca>
X-Virus-Scanned: ClamAV using ClamSMTP on Fri Jan 14 14:08:14 2022 -0300 (-03) (mail.nic.cl)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/h0_6iEUIDWb4FyvrpDnDN1BRqBE>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-glue-is-not-optional-03.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Jan 2022 17:08:23 -0000

On 21:14 06/01, Paul Wouters wrote:
> On Jan 6, 2022, at 20:48, Paul Vixie <paul=40redbarn.org@dmarc.ietf.org> wrote:
> > 
> > 
> > 
> > George Michaelson wrote on 2022-01-06 16:50:
> >> for a 200 in 200,000,000 problem? Ban it.
> > 
> > i agree that we should ban it, but not on the basis of its infrequency of use. rather, on the basis of data provenance.
> 
> Who wants to be the first to fail resolving adobe.net 😀
> 
> Seriously though, this draft is not about banning certain deployments or not. Its only concern is MAY vs SHOULD vs MUST require the found glue to be added to the response and potentially cause TC. 
> 
> I am tempted to SHOULD (or just not mentioning sibling glue at all) for two reasons.
> 
> 1) the WG keeps punting this so MUST or MUST NOT seems too strong
> 

There's also the case of registries with sibling glue names but without
the addresses. I suppose that in registries that use NS-as-objects this
can't happen, because there're pre-requisities in defining a host object
for every case. But in .CL, we use NS-as-attributes, and the addresses
are only required (and registered) where the NS is directly under
the delegation (the In-Domain Glue case).

So in this case:

  bar.test.                  86400   IN NS      ns1.bar.test.
  bar.test.                  86400   IN NS      ns2.bar.test.
  ns1.bar.test.              86400   IN A       192.0.2.1
  ns2.bar.test.              86400   IN AAAA    2001:db8::2:2

  foo.test.                  86400   IN NS      ns1.foo.test.
  foo.test.                  86400   IN NS      ns1.bar.test.
  foo.test.                  86400   IN NS      other.bar.test.
  ns1.foo.test.              86400   IN A       192.0.3.1

a question that delegates to foo.test will return sibling glue addresses
for ns1.foo.test. and ns1.bar.test., but no address for other.bar.test.

In .CL we have several hundreds of cases with this type of sibling
names, including some names in which there're no address at all
(all the NS are under another CL name but aren't in-domain glue).

So, a SHOULD-level requirement would seem to be a better fit for us.

Hugo

v2.23.0 | Report a Bug | By Email