Re: [DNSOP] Clarifying referrals (#35)
Paul Vixie <paul@redbarn.org> Mon, 13 November 2017 02:42 UTC
Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C179512871F for <dnsop@ietfa.amsl.com>; Sun, 12 Nov 2017 18:42:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nhx2JgAdHf3e for <dnsop@ietfa.amsl.com>; Sun, 12 Nov 2017 18:42:55 -0800 (PST)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 240BA128BBB for <dnsop@ietf.org>; Sun, 12 Nov 2017 18:42:19 -0800 (PST)
Received: from [IPv6:2001:559:8000:c9:dc3:59e3:1fa5:69dc] (unknown [IPv6:2001:559:8000:c9:dc3:59e3:1fa5:69dc]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id E1D1461FA2; Mon, 13 Nov 2017 02:42:18 +0000 (UTC)
Message-ID: <5A09068A.3030206@redbarn.org>
Date: Sun, 12 Nov 2017 18:42:18 -0800
From: Paul Vixie <paul@redbarn.org>
User-Agent: Postbox 5.0.20 (Windows/20171012)
MIME-Version: 1.0
To: Andrew Sullivan <ajs@anvilwalrusden.com>
CC: dnsop@ietf.org
References: <20171112075445.tf2ut5dxzhhnqe7l@mx4.yitter.info> <20171112131831.GA32208@laperouse.bortzmeyer.org> <20171113014445.ncldrwnuuvluecx7@mx4.yitter.info> <5A08FD96.8030907@redbarn.org> <20171113020736.ga7rzgst2hurb56h@mx4.yitter.info>
In-Reply-To: <20171113020736.ga7rzgst2hurb56h@mx4.yitter.info>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/wHSNaUw-ZUvt7dPTeVwmUG9pRq0>
Subject: Re: [DNSOP] Clarifying referrals (#35)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Nov 2017 02:42:57 -0000
Andrew Sullivan wrote: > ... >> we should note that an upward or sideways or other non-downward referral is >> a sign of misconfiguration and must be treated as SERVFAIL. > > I am a little uncomfortable with using this document to specify > protocol behaviour as opposed to specifying protocol behaviour already > specified elsewhere. I may have missed them, but I am not sure either > of these requirements (musts) are stated so baldly in any RFC. Have I > missed something? when i stupidly introduced the idea of upward referrals while evidently hallucinating on crack cocaine back in the mid 1990's, the section of RFC 1034 that somebody should have printed, rolled up, and smacked me with was 4.1: > 4.1. Introduction > > Name servers are the repositories of information that make up the domain > database. The database is divided up into sections called zones, which > are distributed among the name servers. While name servers can have > several optional functions and sources of data, the essential task of a > name server is to answer queries using data in its zones. By design, > name servers can answer queries in a simple manner; the response can > always be generated using only local data, and either contains the > answer to the question or a referral to other name servers "closer" to > the desired information. the operative phrase is '"closer" to'. this is repeated in 4.3.1: > 4.3.1. Queries and responses > > The principal activity of name servers is to answer standard queries. > Both the query and its response are carried in a standard message format > which is described in [RFC-1035]. The query contains a QTYPE, QCLASS, > and QNAME, which describe the types and classes of desired information > and the name of interest. > > The way that the name server answers the query depends upon whether it > is operating in recursive mode or not: > > - The simplest mode for the server is non-recursive, since it > can answer queries using only local information: the response > contains an error, the answer, or a referral to some other > server "closer" to the answer. All name servers must > implement non-recursive queries. here again we see '"closer" to' as the allowed behaviour. of course, we also see that Unbound, and BIND with "recursion no;", are out-of-spec. so there's evidently a lot of fuzz here. that's why i'd love to see your current "clarifying referrals" document reference RFC 1034 4.1 and 4.3.1 and somehow reinforce that this wasn't a part of the spec that folks can just ignore, even though many have and others probably will. in [ibid], this is reinforced a third time: > If recursive service is not requested or is not available, the non- > recursive response will be one of the following: > > - An authoritative name error indicating that the name does not > exist. > > - A temporary error indication. > > - Some combination of: > > RRs that answer the question, together with an indication > whether the data comes from a zone or is cached. > > A referral to name servers which have zones which are closer > ancestors to the name than the server sending the reply. > > - RRs that the name server thinks will prove useful to the > requester. this time the phrase is "closer ancestors" which is even clearer than '"closer" to' as used earlier in the document. and then in 4.3.2 we see: > b. If a match would take us out of the authoritative data, > we have a referral. This happens when we encounter a > node with NS RRs marking cuts along the bottom of a > zone. here, some inclarity is introduced by implication, since in what we now call a "mixed mode" name server, indirect descendant information may be present, and at least one name server whose innards i'm aware of would send a cached referral. also if a name server is authoritative for two zones, one the parent of the other, then when it receives a query it will not know which zone the iterative resolver client thinks it is "in" and will send the "closest" answer which may hide the parent's delegation to the child, effectively gluing two zones into one. i don't think you'll want to bite off all that in this document, but i want to reintroduce this problem to the e-mail archives since the last time it was spoken of was on the namedroppers list in the early 1990's. ("unix mount point" semantics are a steep climb, but the only way out.) importantly however, the time when the algorithm described in [ibid] is allowed to send a referral is when a match would "take us out of the authoritative data", and the referral contents are copied from the non-authoriative NS RRset at the bottom of the zone we were searching. so, further evidence that upward or sideways referrals are off-spec. -- P Vixie
- [DNSOP] Clarifying referrals (#35) Andrew Sullivan
- Re: [DNSOP] Clarifying referrals (#35) Stephane Bortzmeyer
- Re: [DNSOP] Clarifying referrals (#35) Paul Vixie
- Re: [DNSOP] Clarifying referrals (#35) Andrew Sullivan
- Re: [DNSOP] Clarifying referrals (#35) Paul Vixie
- Re: [DNSOP] Clarifying referrals (#35) Andrew Sullivan
- Re: [DNSOP] Clarifying referrals (#35) Paul Vixie
- Re: [DNSOP] Clarifying referrals (#35) Andrew Sullivan
- Re: [DNSOP] Clarifying referrals (#35) John Kristoff
- Re: [DNSOP] [Ext] Re: Clarifying referrals (#35) Edward Lewis
- [DNSOP] CDS polling, was Re: [Ext] Re: Clarifying… Tony Finch
- Re: [DNSOP] Clarifying referrals (#35) Paul Vixie
- Re: [DNSOP] Clarifying referrals (#35) Paul Vixie
- Re: [DNSOP] CDS polling, was Re: [Ext] Re: Clarif… Evan Hunt
- Re: [DNSOP] Clarifying referrals (#35) Matthew Pounsett
- Re: [DNSOP] CDS polling, was Re: [Ext] Re: Clarif… Edward Lewis
- Re: [DNSOP] CDS polling, was Re: [Ext] Re: Clarif… Paul Vixie
- Re: [DNSOP] Clarifying referrals (#35) Paul Vixie
- Re: [DNSOP] Clarifying referrals (#35) Matthew Pounsett
- Re: [DNSOP] Clarifying referrals (#35) Paul Vixie
- Re: [DNSOP] Clarifying referrals (#35) Matthew Pounsett
- Re: [DNSOP] Clarifying referrals (#35) Paul Vixie
- Re: [DNSOP] Clarifying referrals (#35) Robert Edmonds
- Re: [DNSOP] Clarifying referrals (#35) Evan Hunt
- Re: [DNSOP] CDS polling, was Re: [Ext] Re: Clarif… Mark Andrews
- Re: [DNSOP] CDS polling, was Re: [Ext] Re: Clarif… Evan Hunt
- [DNSOP] another draft (was Re: Clarifying referra… Andrew Sullivan
- Re: [DNSOP] Clarifying referrals (#35) Paul Vixie
- Re: [DNSOP] Clarifying referrals (#35) Andrew Sullivan
- Re: [DNSOP] Clarifying referrals (#35) Paul Vixie
- Re: [DNSOP] Clarifying referrals (#35) Evan Hunt
- Re: [DNSOP] Clarifying referrals (#35) Paul Vixie
- Re: [DNSOP] CDS polling, was Re: [Ext] Re: Clarif… Mark Elkins
- Re: [DNSOP] Clarifying referrals (#35) Andrew Sullivan
- Re: [DNSOP] CDS polling, was Re: [Ext] Re: Clarif… Tony Finch
- Re: [DNSOP] Clarifying referrals (#35) Evan Hunt
- Re: [DNSOP] CDS polling, was Re: [Ext] Re: Clarif… Jacques Latour
- Re: [DNSOP] Clarifying referrals (#35) Dave Lawrence
- Re: [DNSOP] Clarifying referrals (#35) Paul Vixie
- Re: [DNSOP] CDS polling, was Re: [Ext] Re: Clarif… Paul Wouters
- Re: [DNSOP] Clarifying referrals (#35) Tony Finch
- Re: [DNSOP] CDS polling, was Re: [Ext] Re: Clarif… Tony Finch
- Re: [DNSOP] Clarifying referrals (#35) Stephane Bortzmeyer
- Re: [DNSOP] Clarifying referrals (#35) Andrew Sullivan
- Re: [DNSOP] Clarifying referrals (#35) Mark Andrews
- Re: [DNSOP] Clarifying referrals (#35) Paul Vixie
- Re: [DNSOP] Clarifying referrals (#35) Andrew Sullivan
- Re: [DNSOP] Clarifying referrals (#35) Andrew Sullivan
- Re: [DNSOP] Clarifying referrals (#35) Mark Andrews
- Re: [DNSOP] Clarifying referrals (#35) Andrew Sullivan
- Re: [DNSOP] Clarifying referrals (#35) Mark Andrews
- Re: [DNSOP] Clarifying referrals (#35) Andrew Sullivan
- Re: [DNSOP] Clarifying referrals (#35) Andrew Sullivan
- Re: [DNSOP] Clarifying referrals (#35) Mark Andrews
- Re: [DNSOP] Clarifying referrals (#35) Andrew Sullivan
- Re: [DNSOP] Clarifying referrals (#35) Mark Andrews
- Re: [DNSOP] Clarifying referrals (#35) Mark Andrews
- Re: [DNSOP] Clarifying referrals (#35) Evan Hunt
- Re: [DNSOP] Clarifying referrals (#35) Paul Vixie
- Re: [DNSOP] Clarifying referrals (#35) Tony Finch
- Re: [DNSOP] Clarifying referrals (#35) Andrew Sullivan
- Re: [DNSOP] Clarifying referrals (#35) Andrew Sullivan
- Re: [DNSOP] Clarifying referrals (#35) Andrew Sullivan
- Re: [DNSOP] Clarifying referrals (#35) P Vix
- Re: [DNSOP] Clarifying referrals (#35) Mark Andrews
- Re: [DNSOP] Clarifying referrals (#35) Andrew Sullivan
- Re: [DNSOP] Clarifying referrals (#35) Andrew Sullivan
- Re: [DNSOP] Clarifying referrals (#35) Tony Finch
- Re: [DNSOP] Clarifying referrals (#35) P Vix
- Re: [DNSOP] Clarifying referrals (#35) Andrew Sullivan
- Re: [DNSOP] Clarifying referrals (#35) Tony Finch
- Re: [DNSOP] Clarifying referrals (#35) Paul Hoffman
- Re: [DNSOP] Clarifying referrals (#35) Evan Hunt
- Re: [DNSOP] Clarifying referrals (#35) Evan Hunt
- Re: [DNSOP] Clarifying referrals (#35) Dick Franks
- Re: [DNSOP] Clarifying referrals (#35) Andrew Sullivan
- Re: [DNSOP] Clarifying referrals (#35) Dick Franks
- Re: [DNSOP] Clarifying referrals (#35) Tony Finch
- Re: [DNSOP] Clarifying referrals (#35) Dick Franks
- Re: [DNSOP] Clarifying referrals (#35) Tony Finch
- Re: [DNSOP] Clarifying referrals (#35) Andrew Sullivan
- Re: [DNSOP] Clarifying referrals (#35) Paul Vixie
- Re: [DNSOP] Clarifying referrals (#35) Florian Weimer
- Re: [DNSOP] Clarifying referrals (#35) Tony Finch
- Re: [DNSOP] Clarifying referrals (#35) Andrew Sullivan
- Re: [DNSOP] Clarifying referrals (#35) Bob Harold
- Re: [DNSOP] Clarifying referrals (#35) Evan Hunt
- Re: [DNSOP] Clarifying referrals (#35) Wessels, Duane
- Re: [DNSOP] Clarifying referrals (#35) Johannes Naab