Re: [DNSOP] [Ext] WGLC rfc8499bis one week extension for lame delegation definition

Peter Thomassen <> Tue, 02 May 2023 16:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CF821C13AE44 for <>; Tue, 2 May 2023 09:14:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hlKLtr_ZISF3 for <>; Tue, 2 May 2023 09:14:35 -0700 (PDT)
Received: from ( [IPv6:2a01:4f8:10a:1d5c:8000::8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPS id E74FBC13AE3F for <>; Tue, 2 May 2023 09:14:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=20170825; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:Subject:From :References:To:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Q1nFKvNj4hlDplrVAdeZ2mc1r7ewc0VLFGKa2P8oeOY=; b=j+SJ0hq6dZZNdgdzsd4WZgBrJA Yto+1NLcz5xpxIyh0J1LJtbb74yG2+l8JqabiivW/Hi6BnLCUm1jdypdMi6fX8Hok72hBF5/0+uCT xAKy4yXtfGUcuRr0xaYXBgYGMwufcQ98SVye1TpkUv9qvMLvQPT3AbhMf+r0gk9LBP1AKvfHCCw2h aSgIHdlnL7hhveyNGTim2cRoZlLHmfB9uaDgEaVt5CWh6ZnN07SgC4U2Cy6F0F6gn6DJQVhu1Letp iCF5wBQrscRrtmyEFOOU9TTGii/XzbQsDcBG0sGDXqaG4ie4+GGzlJbKEl5s6y5JgDyueuXBaQMLj Gg0EqntQ==;
Received: from [] (helo=[]) by with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from <>) id 1ptse8-00GBzv-Tj; Tue, 02 May 2023 18:14:33 +0200
Message-ID: <>
Date: Tue, 02 May 2023 18:14:32 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0
Content-Language: en-US
To: Joe Abley <>,
References: <> <> <> <ZFD/> <> <> <> <>
From: Peter Thomassen <>
In-Reply-To: <>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [DNSOP] [Ext] WGLC rfc8499bis one week extension for lame delegation definition
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 02 May 2023 16:14:39 -0000

On 5/2/23 17:52, Joe Abley wrote:
> On Tue, May 2, 2023 at 11:09, Peter Thomassen < <mailto:On Tue, May 2, 2023 at 11:09, Peter Thomassen <<a href=>> wrote:
>> If one of the NS answers non-authoritatively, then it doesn't serve a proper NS RRset, so it's not possible for that server's response to agree / be identical with that on the parent side. As a result, the delegation (to that server) is lame, isn't it?
> A nameserver can answer authoritatively for a particular query without being listed in any zone's NS RRSet.
> A response from a server doesn't necessarily include an NS RRSet anyway.

Sure, but to compare to the delegation's NS RRset (as Paul was arguing), you'll have to ask the authoritative nameserver for the NS RRset, in which case the response should contain that RRset and the AA bit.

Paul said that even if the AA bit was missing, that would not be lame, as long as the RDATA agree. I was trying to say that if the child's answer is indeed non-authoritative, that's not a proper situation because the two servers make conflicting authority claims. What the parent and the child nameserver say w.r.t. the NS hosts' authority is not identical; as a result, I would call it lame. (Apologies for the loose wording in my earlier post; I really should be more careful.)

Another case would be where the name server responds with REFUSED, which, depending on the reader's DNS expertise, could be construed as a "answering non-authoritatively", although it's not answer (only a response). Is this meant to be included in the "lame" definition?

(It is not clear whether the verb "answering" is meant to require the presence of answer RRs, but I suppose so. Further, the distinction between "answer" and "response" may not be obvious to someone reading about "lame delegations" when debugging an issue, so it may be worth clarifying what's meant, e.g. by referring to the RCODE.)