IETF Logo Mail Archive

Re: [DNSOP] Another attempt at consensus on the bailiwick discussion

Mukund Sivaraman <muks@mukund.org> Thu, 16 December 2021 03:19 UTC

Return-Path: <muks@mukund.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3444B3A08CD for <dnsop@ietfa.amsl.com>; Wed, 15 Dec 2021 19:19:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mukund.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SOTntk90yGNB for <dnsop@ietfa.amsl.com>; Wed, 15 Dec 2021 19:19:36 -0800 (PST)
Received: from mx.mukund.org (mx.mukund.org [188.40.188.215]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69CB43A08D0 for <dnsop@ietf.org>; Wed, 15 Dec 2021 19:19:34 -0800 (PST)
Date: Thu, 16 Dec 2021 08:49:29 +0530
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mukund.org; s=mail; t=1639624771; bh=B8FoKYXFevXWvaYrkyRXoD2y30xWQST+F5db5LJHbqI=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=kqyIo9Yd11sbZ5zCtziZQgcB0hfFsDHm/h/rXCk2sr5phMlg4XRkqFmUiSBn+BaBV zp6Uc2TtOogX2z5dwWkn+2ad6dtZxCR5rfdJn+hr004+i4DvGmyGmA5lqRZ0XD55X0 uAexw4eZOPa8w5CmUpIOuj1E8jTTrovTND1WyBs4=
From: Mukund Sivaraman <muks@mukund.org>
To: "Wessels, Duane" <dwessels=40verisign.com@dmarc.ietf.org>
Cc: dnsop <dnsop@ietf.org>
Message-ID: <YbqwQXQoKvDXceRY@d1>
References: <B08E9361-B97B-4862-861C-4EF628C85E50@icann.org> <bb61304c-6ef9-7850-3dbb-19b624bc07b@nohats.ca> <60a11d97-8be4-91e-4880-999c1a57a75b@dotat.at> <FC138247-7BA2-4CCA-8E6C-A06423236A81@icann.org> <2009A9A9-4CF3-4AB6-8D6B-3474B15F0328@verisign.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="eMmdcTnARQqbInEi"
Content-Disposition: inline
In-Reply-To: <2009A9A9-4CF3-4AB6-8D6B-3474B15F0328@verisign.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/xlURtcvJL2DMJ4byohhQrEpefXs>
Subject: Re: [DNSOP] Another attempt at consensus on the bailiwick discussion
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Dec 2021 03:19:41 -0000

On Wed, Dec 15, 2021 at 09:17:42PM +0000, Wessels, Duane wrote:
> Despite what the subject line says, I’d like to follow up on the
> discussion about glue from today’s interim meeting.
> 
> First, I think the definition of glue given in RFC 2181 is problematic
> in a number of ways.  It is overly broad (e.g., "any record ... that
> is not properly part of that zone” and "any other stray data that
> might appear”).  It essentially says that all non-authoritative data
> is glue, including NS, which is wrong IMO.
> 
> If we can ignore what 2181 says, then the question is whether or not
> glue is limited only to addresses.  Historically it has only meant
> addresses, since those address RRs were required for zones with
> in-domain name servers.  There are some new proposals in DPRIVE to
> publish more record types in parent zones and have them considered as
> glue.  This has obvious implications server behavior given the
> glue-is-not-optional draft.
> 
> On one hand I think it would be a lot simpler to just say that only
> address records can be glue.  But I’m not sure that is defendable
> given the directions things are going.  Here’s a definition of glue
> that I came up with:
> 
> Glue is non-authoritative data in a zone that is transmitted in the
> additional section of a referral response on the basis that the data
> might be necessary for resolution to proceed at the referred name
> servers.
> 
> I also feel like we might be heading in a direction where there would
> need to be a registry or some standardization of which RR types can be
> treated as glue.

RFC 5936 (the AXFR RFC) section 3.5 calls names under a zonecut, but
part of the (parent) zone as "occluded names". It can happen with both
NS cuts and existence of DNAME:

> 3.5.  Occluded Names

>    Dynamic Update [RFC2136] operations, and in particular their
>    interaction with DNAME [RFC2672], can have a side effect of occluding
>    names in a zone.  The addition of a delegation point via dynamic
>    update will render all subordinate domain names to be in a limbo,
>    still part of the zone but not available to the lookup process.  The
>    addition of a DNAME resource record has the same impact.  The
>    subordinate names are said to be "occluded".

>    Occluded names MUST be included in AXFR responses.  An AXFR client
>    MUST be able to identify and handle occluded names.  The rationale
>    for this action is based on a speedy recovery if the dynamic update
>    operation was in error and is to be undone.

Though records with occluded names are considered "glue", there is a
semantic difference in the context in which the term "glue" is used
vs. occluded names - in that "glue is used in connecting the zone cuts".

Clarification with extra description is good. I don't know if the
currently accepted liberal meaning should be restricted further.

		Mukund

v2.23.0 | Report a Bug | By Email