IETF Logo Mail Archive

Re: [DNSOP] [Ext] WGLC rfc8499bis one week extension for lame delegation definition

Paul Wouters <paul@nohats.ca> Tue, 02 May 2023 15:02 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED14EC1519B8 for <dnsop@ietfa.amsl.com>; Tue, 2 May 2023 08:02:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.395
X-Spam-Level:
X-Spam-Status: No, score=-4.395 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nTKboKN0hmyR for <dnsop@ietfa.amsl.com>; Tue, 2 May 2023 08:02:06 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9522DC151B38 for <dnsop@ietf.org>; Tue, 2 May 2023 08:02:06 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4Q9jwV08Rpz46v; Tue, 2 May 2023 17:02:02 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1683039722; bh=CndyOtOWttttIBh6OhwbV4+cUnWUp+qonVtv3QGHVr0=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=l77zF+yVwzQXmIrvuer1MWSBL4r9uZpLIDDzYAbe/4SskVP+FNMTDzvGUp++6qFkd u6ScopV/U4dP9LVpzD6Ce/a5JDM75aMKJjq+VXTQul4wgWCM0qen8DEYcyA6K6CE7A UvsG/HxR0edqrsCXzvw/+tOYQLDRFRYeRELf82Vg=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id xeMQHicfumP0; Tue, 2 May 2023 17:02:01 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 2 May 2023 17:02:01 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id D34AAB7FAF3; Tue, 2 May 2023 11:01:59 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id CB0E7B7FAF2; Tue, 2 May 2023 11:01:59 -0400 (EDT)
Date: Tue, 02 May 2023 11:01:59 -0400
From: Paul Wouters <paul@nohats.ca>
To: Peter Thomassen <peter@desec.io>
cc: Paul Vixie <paul=40redbarn.org@dmarc.ietf.org>, Joe Abley <jabley@hopcount.ca>, m9p@india.emu.st, dnsop@ietf.org
In-Reply-To: <2011730a-1206-63fb-bc98-019e53a5ea4a@desec.io>
Message-ID: <ae57e5d7-a3e7-d06f-db1a-ce78aa2c8065@nohats.ca>
References: <f5757414-dd3b-8a09-f945-d73cecf556a3@NLnetLabs.nl> <40C193AF-938C-418F-924E-94F4DD358164@icann.org> <20230501115805.5b4e5115@dataplane.org> <0.2.0-final-1682972681.287-0xd4930e@qmda.emu.st> <ovdbVoNO3SETnssmcX_ys9g7p1j9CEsl1VUMNYZgwHj1W-hTDQZPTaSfswmU_LmnYB5Yq0F_oHVjwfJB6z8fcNdg6Zp-YiVEQrZyneEp9Pg=@hopcount.ca> <c5cf66ab-716f-6a9f-1572-444e88a12a6c@redbarn.org> <2011730a-1206-63fb-bc98-019e53a5ea4a@desec.io>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/tg8b2avYt1VJU5z890ZiFxipS_s>
Subject: Re: [DNSOP] [Ext] WGLC rfc8499bis one week extension for lame delegation definition
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 May 2023 15:02:12 -0000

On Tue, 2 May 2023, Peter Thomassen wrote:

> This, so far, was my understanding of the definition that was given in the 
> other thread, and which Benno labeled (2) in the original post of this 
> thread:
>
>    "A lame delegation is said to exist when one or more authoritative
>    servers designated by the delegating NS RRset or by the child's apex
>    NS RRset answers non-authoritatively [or not at all] for a zone".
>
> ... without the "or not at all" part (so, an answer is required for 
> "lameness").

I don't think that is complete. If all the parental NS records point to
properly working nameservers, but the authoritative nameservers claim
an additional NS record, I would also call the delegation lame. Especially
if that additional nameserver specified in the authoritative NS RRset is
responding non-authoritatively. This might not be lame on the initial
queries, but if the resolver is child centric or validating, that broken
authoritative NS will end up getting queried and a lame answer would be
given.

> Without asking to invent a term if none exists, I'd like to learn how to call 
> a delegation that points to an NS hostname that does not have an address 
> record (verifiably, e.g. denied by a DNSSEC negative response).
>
> Before the discussion, I thought this qualifies as "lame" (because you can 
> tell from the response that there's no DNS service; it's not a timeout), but 
> with the above definition, it can't be called "lame".

How about:

     "A lame delegation is said to exist when the NS RRset of a zone is
      different at the parent and child nameservers, with the mismatched
      authoritative servers either listed at the parent or child answering
      non-authoritatively for that zone."

Paul

v2.23.0 | Report a Bug | By Email