IETF Logo Mail Archive

Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional-07 vs. sibling glue

Tim Wicinski <tjw.ietf@gmail.com> Wed, 29 March 2023 08:32 UTC

Return-Path: <tjw.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C67BDC151B25 for <dnsop@ietfa.amsl.com>; Wed, 29 Mar 2023 01:32:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TrnKNa940KmP for <dnsop@ietfa.amsl.com>; Wed, 29 Mar 2023 01:32:48 -0700 (PDT)
Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB0C7C15155C for <dnsop@ietf.org>; Wed, 29 Mar 2023 01:32:47 -0700 (PDT)
Received: by mail-ed1-x52a.google.com with SMTP id ew6so60011645edb.7 for <dnsop@ietf.org>; Wed, 29 Mar 2023 01:32:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1680078766; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=NLHHqMEQBaai9eYMr77Xo+aC6TLNoO9Itp1vSG8tKkM=; b=EfxsjTm2x26O54h6P+4i0TPVOsNSJrcta3zCnoFfpMmMCrXfoBS7i3tvWvTO1mHP9c /oQTRIi1qJ68XpOPZHPi5aWYJV0n0yEMM96RqjGh5aQDubdCPrmJ63ef92IpgMh5ugDC VqQgQTFimIQ0RTBGD4sZ8yplEzINMOUvnop/YqX76dxcBL848/j7ZIH7/CZKhZsU/zSx vDUvW5sh+C6R9CyE+fDdsTdZluwvwHyaRlrpCAwMYtronUDq72pDO8DVeB0SaaF3PP6i ZbHYqnJ31oozQBYqZbIn+J57L6GPhtZz7AJxXryyXw2XS+8t7AbjuPiqbadxgWD5TFR0 jT/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680078766; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=NLHHqMEQBaai9eYMr77Xo+aC6TLNoO9Itp1vSG8tKkM=; b=tIhWfeNQCxSJpJ9q+ZkRCMCZFWV2vrzs0vHxyQZjXMyXJAGhDb6uH3GqYauE2Iu4Y0 HNW930PsKevU+6hu/f6hHu26sy5MkKCxXI1Oyj6suxqoC2f/QLhVcVP91gQHX3YPtNFV 0C4EniHD+Hkd8+D6kzXd/9np8gPMWfzcB7ErBJSyWM6Ovo3T7LXPHYJIVFXInulFVcoe egLqb6EjtPVuh38F782HBsLBAZ9IFLLGCswtzSaLsbSNaSnjH1dl27R8xJ59SNktdy1O Imd2VZsWHA3CB32rfTyteo45hldERsPMfx3cRYpBdLHUQeG+8VC2/loorWYkVceKJkHS ms1A==
X-Gm-Message-State: AAQBX9fF+bs2MEDzgN/nf/JieQTsZ5Xu/FEzBuUA7/3mOWhWekN1/zpW SnsfSwz/5oTPzGQclH84QEG/FUPKJ8i/nLZe2EU=
X-Google-Smtp-Source: AKy350atYNHd8JlXFYwjzywWOXlpLzXRlXawFbVYvBTx9ujlppm5USPEfrBhUH5gha6+KJQZYjIliWpy0QItntjadHQ=
X-Received: by 2002:a50:cd83:0:b0:502:20e4:5be8 with SMTP id p3-20020a50cd83000000b0050220e45be8mr8400657edi.5.1680078766204; Wed, 29 Mar 2023 01:32:46 -0700 (PDT)
MIME-Version: 1.0
References: <166433321065.7033.7906557321120388211@ietfa.amsl.com> <a124badc-7723-904f-3716-6be2a121360@nohats.ca> <Y+7jR1ouKD6w8V49@straasha.imrryr.org> <Y/RXcLmPouKn5DJW@straasha.imrryr.org> <920A70B5-EF6F-463D-B62B-BC29C4C0210D@fl1ger.de> <CAHPuVdW-mA=M+zh1nvRKr12w5wnxG2+bL0Vbc52DwRykare+Ng@mail.gmail.com> <ZCHkFGDj0CrEx3o1@straasha.imrryr.org> <CAHPuVdUY+eUmeWw8x+yfbTSxr4aavzxtuEqKGEoB=gpVhLR1gg@mail.gmail.com> <9743fe5f-dc3b-1241-cd2d-96649939adf6@desec.io> <CAAiTEH-7erdiQrxW1FXcy_zhWxsf60XhPp66yyfWnzhOKPDJmA@mail.gmail.com> <CAHPuVdUCssTsMc=FrKMrDB8N-P98crYe03NKU5-BtV47LgR9UA@mail.gmail.com> <FD4826E8-089F-46D0-B2B5-06B06346F72A@verisign.com>
In-Reply-To: <FD4826E8-089F-46D0-B2B5-06B06346F72A@verisign.com>
From: Tim Wicinski <tjw.ietf@gmail.com>
Date: Wed, 29 Mar 2023 04:32:35 -0400
Message-ID: <CADyWQ+FHVSqJ09fpV3i2Z_YA+VgUPLcYg+5mMwHAvC1=YpRgJQ@mail.gmail.com>
To: "Wessels, Duane" <dwessels=40verisign.com@dmarc.ietf.org>
Cc: Shumon Huque <shuque@gmail.com>, "dnsop@ietf.org" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000debef05f805d2fb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/jT00tSDhV-ToX8b_fTg3Kin3Pkc>
Subject: Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional-07 vs. sibling glue
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Mar 2023 08:32:48 -0000

To follow up with Shumon and Duane's comments, the title of the document
was changed over time to "DNS Glue Requirements in Referral Responses" to
more accurately reflect the document's contents.
The datatracker name did not change to reflect that.
tim


On Tue, Mar 28, 2023 at 9:58 PM Wessels, Duane <dwessels=
40verisign.com@dmarc.ietf.org> wrote:

>
>
> > On Mar 29, 2023, at 10:53 AM, Shumon Huque <shuque@gmail.com> wrote:
> >
> > On Tue, Mar 28, 2023 at 9:51 PM Matthew Pounsett <matt@conundrum.com>
> wrote:
> >
> > On Tue, Mar 28, 2023 at 8:24 AM Peter Thomassen <peter@desec.io> wrote:
> >
> >
> > On 3/28/23 03:14, Shumon Huque wrote:
> > > On Tue, Mar 28, 2023 at 3:45 AM Viktor Dukhovni <
> ietf-dane@dukhovni.org <mailto:ietf-dane@dukhovni.org>> wrote:
> > >
> > >     On Wed, Mar 01, 2023 at 04:27:31PM -0500, Shumon Huque wrote:
> > >     Can we at least state that domains with cyclic dependencies are a
> bad
> > >     idea, and may not be supported by all resolvers.  In other words,
> that
> > >     the domain owner can't **rely** on the sibling glue recommended to
> be
> > >     sent in this draft to save the day.
> > >
> > >     My strong preference is still to delete all reference in the draft
> to
> > >     cyclic dependencies (i.e. not enshrine bad practice).  Which leaves
> > >     sibling glue primarily as a performance optimisation, and
> secondarily
> > >     as a last resort when the nameserver IP addresses are wrong or gone
> > >     from the authoritative zone (another bad practice).
> > >
> > >
> > > Viktor - I've so far not seen many other people speak up in support of
> your
> > > position. I suspect this is because this draft was discussed to death
> many
> > > months ago during long discussion threads on the list, and there is
> likely
> > > already rough consensus for the current content. Personally, I would
> be ok
> > > with adding a statement that configurations involving cyclic
> dependencies
> > > are not recommended, but others will likely have to also speak up in
> support
> > > of this too.
> >
> > I support adding such a statement about cyclic dependencies.
> >
> > As do I.
> >
> >
> > In addition, I would support saying that data suggests that, while
> (non-cyclic) glue records may have a benefit in certain cases, they
> frequently are a source of harm (time-outs), and the trade-off remains
> unclear.
> >
> > I would support this as well.
> >
> > In my anecdotal experience as an operator, I routinely encounter
> mismatches in sibling glue and child zone NS sets that appear to be due to
> the glue being forgotten.  My assumption is that, because it's not
> necessary to operate, when operators fail to update it they don't receive
> any kind of signal that something is wrong.
> >
> > Viktor's numbers are pretty clear data, though, so nobody should need my
> anecdotes to be convinced.  While sibling glue may be a useful optimisation
> in some cases, given how poorly maintained it is it seems to cause more
> problems than it solves.
> >
> >
> > I'd like to remind folks that the scope of this draft when it was
> adopted by the working group was very narrow. Mainly to say that 'required'
> glue must set TC=1 if it doesn't fit into the DNS response payload. That
> required talking about other types of non-mandatory glue like sibling, but
> has not proposed to change authoritative server behavior in those areas.
> >
> > If folks want to deprecate sibling glue entirely, it would be best to
> write another draft saying that and see if we can get consensus on that.
> >
>
> I agree with this position.  The scope of the draft is about message size
> and behavior when glue records don’t fit.  Although the “glue is not
> optional” name is catchy, in hindsight I think a different name would
> better reflect the intent of the document.
>
> DW
>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email