[DNSOP] Re: New Version Notification for draft-sury-dnsop-parent-centric-resolver-01.txt
Ondřej Surý <ondrej@sury.org> Fri, 03 April 2026 19:18 UTC
Return-Path: <ondrej@sury.org>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id B05D4D635FAF for <dnsop@mail2.ietf.org>; Fri, 3 Apr 2026 12:18:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1775243882; bh=7Fy7sSWCXkvEDXDyOc4HG7XmljptiTSjlFVlWQ70srI=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=RL6jTOnB563JJxI+BVhvhNa9c+qY8VUcc7JutbTXixcwyui/mv5iCPEgzxn8Gx+h/ 1kKvIyCYow/XlKEn7On8lN8NBNlAIVO4cgwsf0HgHHFUDgLXGdG72Z5DEdJS/oi5T7 qg9VULezSWXBWRQj02X6hjLBytCLcJx+tTZRtwOM=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=sury.org header.b="OMM9zH3i"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="cvcmRMP3"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VnCV9unHtd-7 for <dnsop@mail2.ietf.org>; Fri, 3 Apr 2026 12:18:01 -0700 (PDT)
Received: from fout-a2-smtp.messagingengine.com (fout-a2-smtp.messagingengine.com [103.168.172.145]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id A7BCFD635D47 for <dnsop@ietf.org>; Fri, 3 Apr 2026 12:17:42 -0700 (PDT)
Received: from phl-compute-05.internal (phl-compute-05.internal [10.202.2.45]) by mailfout.phl.internal (Postfix) with ESMTP id A957EEC02DB; Fri, 3 Apr 2026 15:17:36 -0400 (EDT)
Received: from phl-frontend-03 ([10.202.2.162]) by phl-compute-05.internal (MEProxy); Fri, 03 Apr 2026 15:17:36 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sury.org; h=cc :cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm3; t=1775243856; x=1775330256; bh=LycM8zGOLGwR74OoobfG3UUvtmwrhO42I9s6oGANNLo=; b= OMM9zH3iS+prl4zIwuG96Q6Fw0JYAiIX1Hlsc7ALlGqJszuuisthSV6bD4K4xQQX Q6m/QWqK3l1PrH8DY6YPskhRL/pfXM7gO+ZeZYI6aZwdg16KFgMOolr13DqvcsNE HudgPKIz60CQEfYPZK9GevBsJlWtMlEwAOROYl1tK5NwOSC2U3dO1m03SsCsya6K deatAhs/YB7K5fSUQPBpaUT0CzaXJWe6GPH+qaD9wyKJtZMkTp4k0nNsnFdfq7Ng hSc6WXshxAMy0Nb8nbPH8PANKajXXgVHvRKfo37KELmNTFM0eAhrb+qV7Mtl3io/ vTKqhy4yVZf3xMjZUZ/7tw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1775243856; x= 1775330256; bh=LycM8zGOLGwR74OoobfG3UUvtmwrhO42I9s6oGANNLo=; b=c vcmRMP3LOReII6QmE8pJIYrvk0Mny8iq26Vl3wOJ4ltk3j5nEf2h9j+AzRHy6eRV eStcZo/UUsZlS4GJgnT9ITctrNbWZEYdyjLde0rPamuF326FrUjKRhnq7dbnzETp jDQUWu9j1ThgHUnRhUi2yabxo0Kmd746DCIvct8/jC0Aq+G4JDCHDGa99KzX7149 ht4dO2tWTVGD2kukVFD46pA2JOZPr18bGb1fPZcZ+I45WEdF5MvXqoHlMvInha9O NjmqqstvTwW6RCUS6TRJ0g6tOV50k71KtTLltUhWmYR3K9tWwnYD/pvSrOabm8ds onWsd6BfglycRO3IDu4Ew==
X-ME-Sender: <xms:UBLQacD66YEZTkoOTa3lOwYf0UwFUs4H3HXhl-IDmgJRg-63psr56g> <xme:UBLQaa0wk_JyxHtTYG7pt7oFIjq5kFwubWkNCKfX8ROT_ijJNGdfIiMkhhfSmoeJ0 kTZJXZTNzkNungrINqr6pLP-aF4ziGEYCUI9SW-ZbRJ5XtFanfo1oKJ>
X-ME-Received: <xmr:UBLQaSUx4no9uU_NTu8jvR68S3R1yJn5Stprka46SgJeluPhMp7ssaNgnzrxNARP2H6chTsHIh7xP8b5QvVrTw2nITCzED8>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefhedrtddtgdeljeeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceurghi lhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurh eptggguffhjgffvefgkfhfvffosehtqhhmtdhhtdejnecuhfhrohhmpefqnhgurhgvjhcu ufhurhpuuceoohhnughrvghjsehsuhhrhidrohhrgheqnecuggftrfgrthhtvghrnhepie etgffguedufeejfeevvdfffeekvddtkeegkefgveetkeekfeeghefhheejteevnecuffho mhgrihhnpehivghtfhdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmh epmhgrihhlfhhrohhmpehonhgurhgvjhesshhurhihrdhorhhgpdhnsggprhgtphhtthho pedvpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopehshhgrnhgvsehtihhmvgdqth hrrghvvghllhgvrhhsrdhorhhgpdhrtghpthhtohepughnshhophesihgvthhfrdhorhhg
X-ME-Proxy: <xmx:UBLQaUnKJcdUHiz3PB_fXvIcLtEVarpUmCTKHCznD5d9uJfoS5IW5g> <xmx:UBLQaUCtabwdB22DkviZ88WSCRjlB-LWz4WwV1Q2WzqNM0zCGft6zQ> <xmx:UBLQaUeNgIkwd6S8e1thob5saLrzBl1NlD-49FxWtHMZ7jd-apOs4Q> <xmx:UBLQafJu5MNfSx5TxupTMgOZwM9yAyXPBRBA0QctshUBfr5cJzFQFA> <xmx:UBLQae-2MOPiVi4baVNA_Om5zBCXNs8romI5zxnUuXvmz1W0wTwF3OmC>
Feedback-ID: ida81469e:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 3 Apr 2026 15:17:35 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3864.500.181\))
From: Ondřej Surý <ondrej@sury.org>
In-Reply-To: <e3c5dec2-b52e-4245-9329-211a31fefc4d@time-travellers.org>
Date: Fri, 03 Apr 2026 21:17:23 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <AE44C931-9388-4ECD-88CD-9C9A7A219B86@sury.org>
References: <177364466468.250409.3258111596991249669@dt-datatracker-5477d56788-5pkt5> <AB5761BD-4306-44BA-9A7F-A76752A85E0B@sury.org> <e3c5dec2-b52e-4245-9329-211a31fefc4d@time-travellers.org>
To: Shane Kerr <shane@time-travellers.org>
X-Mailer: Apple Mail (2.3864.500.181)
Message-ID-Hash: DMLDANPWC5MAZ27QOD2TRRE3DUEHE3JP
X-Message-ID-Hash: DMLDANPWC5MAZ27QOD2TRRE3DUEHE3JP
X-MailFrom: ondrej@sury.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: New Version Notification for draft-sury-dnsop-parent-centric-resolver-01.txt
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/zEBQBQAKQ3Yqre-LmpiBBDhFpzE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
Hi Shane, > On 1. 4. 2026, at 14:58, Shane Kerr <shane@time-travellers.org> wrote: > > Ondřej, > I'm surprised there hasn't been discussion on this, although maybe the LLM-generation put people off. Shrug, I think it is better to be transparent in the use of the slightly better spell checker and autocomplete than pretend that didn't happen. Nevertheless, the updates described below have been done directly by myself alone. > On 2026-03-16 08:16, Ondřej Surý wrote: >> we’ve been working on making BIND 9 to use parent-centric delegations and I thought >> It would be useful to turn this into an Internet-Draft. This was also kind of experiment >> whether LLM can create something useful if you feed it all the important data and know >> your subject. The result had been manually curated, I did spent some time reading >> and updating the document. > ... >> Name: draft-sury-dnsop-parent-centric-resolver >> Revision: 01 >> Title: Parent-Centric Delegation Handling in DNS Resolvers >> Date: 2026-03-16 > If this is adopted and gets turned into an RFC then it is a huge change! HUGE!!! Sure, but I don't view this as "enforcement" that everyone has to implement. I would be also happy with Informational status. > I guess there are a few things to like about this. > The first being that some resolvers already operate in a parent-centric way, so documenting that would be useful. Yes, that's my main motivation. To document what has been done in BIND 9.21.21 (BIND 9.21.x is to be released as stable 9.22.0 later this year), and what others has been doing as well. > The second being that if we declare child-side NS to be unnecessary then we are saving lots of useless lookups. That's the funny thing - unless you implement strict draft-ietf-dnsop-ns-revalidation then it is already the case. > I do think that the draft presents this change in a somewhat nonsensical way. "The child is authoritative regarding NS, but don't use those values to do any lookups." The full paragraph is: > The child-side NS RRset is authoritative data from the child zone and is > the correct answer to an NS query. The parent-side NS RRset received in > referrals is non-authoritative delegation information and MUST NOT be > returned as the answer to an NS query. The paragraph speaks what should happen when the AA data is received by the resolver. > It seems like it would require separate cached values for NS: one for the parent, one for the child. That's implementation detail - you can also store the "owner" of the information inside a single database. > Even worse, there is literally no way that an external party can lookup the value that a resolver is using for the parent, and that seems like it might make debugging issues tricky. One could lookup an NS at a resolver, then query those NS directly and get a completely different value than the resolver itself returns. Yet another funny thing - this is already the case - it is kind of Heisenberg's delegation - the delegation records changes when you look. Unless the cache snooping is enabled (which really should not be - yeah, that's something next on my list), the NS query to the resolver will make the resolver to resolve child's NS records replacing the delegation records. > One thing that I really like about the draft is that it documents refreshing TTL values for NS on any lookup at the parent. This is probably something resolver implementers already do, but writing it down seems useful. > A minor point is that it mentions that the child will sometimes have a different TTL for NS records than the parents, and this can be longer. In general TLDs often to have insanely long TTL for NS records, and I would guess that in most cases the child's TTL will be less. (2 days for COM/NET/UK, 1 day for DE, although a much more sensible 1 hour for ORG/CZ/FR/NL). I suppose that the parent should have some say about the TTL of the NS record in a parent-centric world... although since most registries generate new zones at least several times a day I would suggest that large TTL are unnecessarily large. Should this guidance be part of this draft? Perhaps add something about long TTLs at the parent to this section? ## Compatibility with Existing Infrastructure > The text that says "minimum of NS RRset TTL and the accepted glue record TTLs", I guess means associated address (A/AAAA) records? Maybe that should be stated. Ok, I've added (A/AAAA) there. > Anyway, I think this draft is a fundamental shift in thinking about how NS are handled, and needs a lot of convincing to go forward. I've added word "optional" to the abstract and introduction and added reference to draft-ietf-dnsop-ns-revalidation saying that DNS resolvers are free to pick one. And the -02 is now out: A new version of Internet-Draft draft-sury-dnsop-parent-centric-resolver-02.txt has been successfully submitted by Ondřej Surý and posted to the IETF repository. Name: draft-sury-dnsop-parent-centric-resolver Revision: 02 Title: Parent-Centric Delegation Handling in DNS Resolvers Date: 2026-04-03 Group: Individual Submission Pages: 24 URL: https://www.ietf.org/archive/id/draft-sury-dnsop-parent-centric-resolver-02.txt Status: https://datatracker.ietf.org/doc/draft-sury-dnsop-parent-centric-resolver/ HTMLized: https://datatracker.ietf.org/doc/html/draft-sury-dnsop-parent-centric-resolver Diff: https://author-tools.ietf.org/iddiff?url2=draft-sury-dnsop-parent-centric-resolver-02 Abstract: This document specifies an optional parent-centric behavioral model for DNS recursive resolvers, in which delegation decisions are always based on the NS RRset (or DELEG RRset) received from the parent side of a zone cut and are never overwritten by child-side NS data. The parent-centric model eliminates the "two sources of truth" problem inherent in the current DNS delegation design, closes the Ghost Domain and Phoenix Domain attack vectors, provides deterministic behavior in the presence of parent/child NS mismatches, and enables resolvers to safely accept sibling (out-of-bailiwick) glue by scoping delegation information to individual zone cuts. It also provides the behavioral foundation required for deployment of the DELEG extensible delegation mechanism. This document updates [RFC1034] and [RFC1035]. Ondrej -- Ondřej Surý (He/Him) ondrej@sury.org A gentle nudge is always appreciated if I take a little longer to reply.
- [DNSOP] Fwd: New Version Notification for draft-s… Ondřej Surý
- [DNSOP] Re: Fwd: New Version Notification for dra… Shane Kerr
- [DNSOP] Re: Fwd: New Version Notification for dra… Petr Špaček
- [DNSOP] Re: New Version Notification for draft-su… Ralf Weber
- [DNSOP] Re: Fwd: New Version Notification for dra… Dave Lawrence
- [DNSOP] Re: Fwd: New Version Notification for dra… Petr Špaček
- [DNSOP] Re: New Version Notification for draft-su… Ondřej Surý