Re: [DNSOP] I-D Action: draft-ietf-dnsop-glue-is-not-optional-02.txt

Joe Abley <> Wed, 28 July 2021 12:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B53143A0C7B for <>; Wed, 28 Jul 2021 05:21:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id yhhC675wcAnD for <>; Wed, 28 Jul 2021 05:21:12 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::830]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8B5EF3A0C74 for <>; Wed, 28 Jul 2021 05:21:12 -0700 (PDT)
Received: by with SMTP id h27so1139499qtu.9 for <>; Wed, 28 Jul 2021 05:21:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=SZy+1onvDuRIGDYWLoNppIqBGSindhSMjSAoh+iojkc=; b=oX/uwoH7ETJta6h7rGDVz2mumWhIUflRaTGPLBDQ0Dmhj2SAUdjMSICDEo6SEdJUK5 LX7zA8TPZPEe1uTd1sL+8h4a/uAYC5yzGLMpOBKuT04oUJ99qM+IzVBFCJwMIX07/YP9 ZlsGV40M6svFj225VLl/IRxA9GqGjOh4Ngoao=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=SZy+1onvDuRIGDYWLoNppIqBGSindhSMjSAoh+iojkc=; b=juZqmp9jFZEBFKMgmAqlb3fA4ZkYU6YghtTwYPMFv8PIR1QQRHCxXd/NYoHlyJ3Ebv z6Wc0jOuu60JSKYWrUgidD4NiSv7aiFF9lXFkXx2XlV805Ojjh7kF4CQoQQ8E/dyWw7K qD/54s45QDa13r3GeJM+QaVF/7IuUJCat4S2Him9qXJvU8AI9QAojEIkiEvS2o2Ugl0Y gHDWs3orUBHMXuC1HwyuOlDRfCFXlzwxTK94Q0wXAqIP5JN7ciqS3C5F3JPkukZPY6Xp khBarUBj5r2n9eQUWKAX0rWK/GkD5vQIF2G19jhIddc42z9M7NmZtw1LG1iQ17nHdO3B quFQ==
X-Gm-Message-State: AOAM532NCINnPieRnoL2gTogzzveAzeYphXThyzqNZi2U4UD+FJsMhWJ GYGnsYWsl2i1otQyYkGglWrsXr57nm3oh9dm1Xs=
X-Google-Smtp-Source: ABdhPJyvdjePY//CGIiNxzxGWIogJHSxma3idlMQfZNIr+14WR3jwoD4B/R4SvjdwxW7vVE2y6c/lA==
X-Received: by 2002:ac8:7cb5:: with SMTP id z21mr23916724qtv.34.1627474870111; Wed, 28 Jul 2021 05:21:10 -0700 (PDT)
Received: from ([2607:f2c0:e784:c7:68a7:97f6:733:dd8b]) by with ESMTPSA id i21sm2730881qtw.68.2021. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 28 Jul 2021 05:21:09 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Joe Abley <>
Mime-Version: 1.0 (1.0)
Date: Wed, 28 Jul 2021 08:21:07 -0400
Message-Id: <>
References: <>
Cc: Paul Wouters <>, dnsop <>
In-Reply-To: <>
To: Ralf Weber <>
X-Mailer: iPhone Mail (18G82)
Archived-At: <>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-glue-is-not-optional-02.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 28 Jul 2021 12:21:18 -0000

On Jul 28, 2021, at 07:51, Ralf Weber <> wrote:

> On 28 Jul 2021, at 5:10, Paul Wouters wrote:

>> First, as Mark said, sibling glue is sometimes needed.
> It is only needed for broken circular dependancies, which we don’t care about.

I tend to agree with this. 

There are a lot of ways a delegation can be non-functional (for example the circle of dependencies can be as big as you like, can incorporate third cousin twice removed glue, etc) and it makes more sense to me to let all of these cases fail rather than incurring the cost of papering over just some of them in the authority server.

As many people have pointed out, recursive servers will often ignore Kaminsky-looking glue anyway, so the result of including it is going to be very much like intermittent failures that are painful to diagnose and have the effect of making the DNS less stable.

From this perspective it's a greater kindness to all concerned to fail consistently when such configurations are first deployed.