Re: [DNSOP] partial glue is not enough, I-D Action: draft-ietf-dnsop-glue-is-not-optional-00.txt

John Levine <johnl@taugh.com> Thu, 02 July 2020 01:18 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A6A63A12CD for <dnsop@ietfa.amsl.com>; Wed, 1 Jul 2020 18:18:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.851
X-Spam-Level:
X-Spam-Status: No, score=-1.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=LdsbzYJT; dkim=pass (1536-bit key) header.d=taugh.com header.b=VoX50EME
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nGhY64MEE799 for <dnsop@ietfa.amsl.com>; Wed, 1 Jul 2020 18:18:18 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64D2D3A1213 for <dnsop@ietf.org>; Wed, 1 Jul 2020 18:18:18 -0700 (PDT)
Received: (qmail 91775 invoked from network); 2 Jul 2020 01:18:16 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=1667b.5efd35d8.k2007; bh=JHdcTRFpfKPnQZlwLeTo0tj5wAtN+OFgbF/Cz3p0xO8=; b=LdsbzYJT8eRIU1XvOrbWR42kl6yxnKAaOg2GBsnS8+QZwyvl2ywIPuQCno2XUgUTDjB7CrhdbCVEInpvn0KpInYcCcc5QALxEJzGOG4jDdhqEzG2Tdh13iwgF4LAH9OqGdYvmM6HsQVC8zvYcyb2MBGmJb2AkcyJkeTgPPDV59fubGasN27Zjl7iZzwqoGh9IK7odbeEYHp91Ur9w2cAMmJVqSCUYGoUiPVile5WgJh0ggGZdIblCZBMnGiXYBs0
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=1667b.5efd35d8.k2007; bh=JHdcTRFpfKPnQZlwLeTo0tj5wAtN+OFgbF/Cz3p0xO8=; b=VoX50EMEE55UKBA7hUBSLmv7W7Tsq1rVkbZkZQkYqgNdMx43UqY+XO7f+r4TjEyYNV3qNZk+JmnFq009kSuJ43jaIQX0MdSMFZIq8AYabPpVNLHxBR76tk5l8xhXx0MvnxarGA3SbMm1J6BcUfNfH+IVmQUg6CRJiJjxF+GYj8RC62bimsBp7t6banPQQQmzePN5LE8LYGrEmJPpDJrY2DwnYvk0UU4RvUV1BA/lHuLu6fUlrbJU+AKnA7yfJa2F
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 02 Jul 2020 01:18:16 -0000
Received: by ary.qy (Postfix, from userid 501) id D4B0D1C3CD10; Wed, 1 Jul 2020 21:18:16 -0400 (EDT)
Date: 1 Jul 2020 21:18:16 -0400
Message-Id: <20200702011816.D4B0D1C3CD10@ary.qy>
From: "John Levine" <johnl@taugh.com>
To: dnsop@ietf.org
Cc: paul@redbarn.org
In-Reply-To: <9056955.dJ39pTEj9z@linux-9daj>
Organization: Taughannock Networks
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/hm3Wxtw243kE1xVbmDPCtKT2jlo>
Subject: Re: [DNSOP] partial glue is not enough, I-D Action: draft-ietf-dnsop-glue-is-not-optional-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jul 2020 01:18:21 -0000

In article <9056955.dJ39pTEj9z@linux-9daj> you write:
>On Wednesday, 1 July 2020 09:41:49 UTC Jan Včelák wrote:
>> We just opened this discussion internally at NS1 because we serve some
>> zones with more than 10 NS records where each NS requires glue and our
>> proprietary server by design adds glue only for the first four NS
>> records. We are discussing if this is correct behavior if it needs to
>> be revisited.
>
>i think if you're using round robin or random selection, a subset is fine. if 
>we had to codify this practice, i'd ask that at least two address records of 
>each available kind be included (so, two AAAA's, two A's) or else set TC=1.

I really don't like this. If you do that, you're going to have
failures when there are working servers but none of their addresses
happen to be in the glue subset in the response, and without TC=1
there's no hint that there's more glue if you retry.

If a response with TC=1 has at least one record in the additional
section, that tells the client that the missing records are all glue.
So I think it would be OK in that case for the client to use what it's
got, but remember that if it can't contact any of the NS with the
A/AAAA it's got, it can go back and get the rest.

Remember, if it's glue, there's no other way to get it. If it's worth
returning glue at all, it's worth providing all of it.

R's,
John