Re: [DNSOP] I-D Action: draft-ietf-dnsop-glue-is-not-optional-02.txt

George Michaelson <ggm@algebras.org> Wed, 28 July 2021 04:24 UTC

Return-Path: <ggm@algebras.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B09123A1B4B for <dnsop@ietfa.amsl.com>; Tue, 27 Jul 2021 21:24:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=algebras-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BphDfcR8xZRP for <dnsop@ietfa.amsl.com>; Tue, 27 Jul 2021 21:24:50 -0700 (PDT)
Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DBE13A1B06 for <dnsop@ietf.org>; Tue, 27 Jul 2021 21:24:50 -0700 (PDT)
Received: by mail-lj1-x234.google.com with SMTP id x7so1455412ljn.10 for <dnsop@ietf.org>; Tue, 27 Jul 2021 21:24:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=algebras-org.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SfpuGWyE5sNn7MH3mh8diMCOoUQRx5DAQuGcZpJKGIs=; b=sPag6LCHmbU5WnIaM0lJjrpLIuo1W0NeirqHZrOXwkmG/+Jtn0YOoN4uEhIUNsDp9r z0tgSWsLXFceyy/uwI6RFfkomK3ps2LukVgb2yDsECzLaHSHkO1ZfhYDagrCRtK/j8CT 8q1+nkNCsmfOXSuhdsWcsgFYqgW5NCSLoWmTKzc1My/zjv9W5cRCrXCFnP1dxe/Pc2pK 6huNG1xkuUUXjwkYz8///O8uq6ksXGGMfDU2pjylEK9NR46iD0aToZEeBj9r5rcZ7YnH 5/8egeSAiFNv8Ye1ylXIzeLFnW8JZqe7KKWv1da6WIVqkJd1EAmsmoUO5bHJ5nKvPYvf yq6A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SfpuGWyE5sNn7MH3mh8diMCOoUQRx5DAQuGcZpJKGIs=; b=kAMsrBObseuA9YLaJHVq7E2K2v9oYQlN9T2Ltigx+JZqdCfSVufE0heZZuUhFTirTn 11rDHhHqMQEyXPLmU8QPhGPsuJhRcA5qKiLc15Cepc9TXZn1I2845nWoFhNE/EHCQuSZ MCT9Hiihas/dMVsgPWG5M8HOcTGv302EaUfHispsE7MZXZ3DEtQBrbUn3XDgSZ5NExFo 2boVflGcJiGzTzm4ur3TH2114bzXMeuav+P9P35JuL8LCfhxeMmyN/N+MDrv21Y4VxSz JmSx8+oG+dXgDPGyMlt5QJwyjPGWDCY9rm1Kj0QcaWTi2PXGrBjgSaDwCBqoP+Y4cfsp VwLQ==
X-Gm-Message-State: AOAM531fTfK62RbVOocmtMot2fyEaO30ejMykUvnMcSyEhzf3tYlpaAZ lBK9N1Yi0Llwln6jFCIijnoxcvJmn2p//WiTs3z9M7hr0gc=
X-Google-Smtp-Source: ABdhPJzhTgzv/DsfEgeQ4LM18JeqQDb60C6DjRZAUJGuTs5ls8exGCdpObV9vz/SHY7IC0/18squrphSiO7ILxDnYqM=
X-Received: by 2002:a2e:9e53:: with SMTP id g19mr18050096ljk.58.1627446286764; Tue, 27 Jul 2021 21:24:46 -0700 (PDT)
MIME-Version: 1.0
References: <65da3773-b1b5-cc3d-6b82-6a33fae46c0@nohats.ca> <20210728041631.CCAA8253A750@ary.qy>
In-Reply-To: <20210728041631.CCAA8253A750@ary.qy>
From: George Michaelson <ggm@algebras.org>
Date: Wed, 28 Jul 2021 14:24:35 +1000
Message-ID: <CAKr6gn1bxdnQN-v2pd8V2s8M9Re7nxtEEfoVgSYX5DeZBJwY-A@mail.gmail.com>
To: John Levine <johnl@taugh.com>
Cc: dnsop WG <dnsop@ietf.org>, Paul Wouters <paul@nohats.ca>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/zMKa5ZBNHuK4JPQI9943isR723o>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-glue-is-not-optional-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Jul 2021 04:24:56 -0000

I had it said to me, that "lies" about the ns.bar.example are not a
problem because if they can tell you a DNSSEC verified truth about the
primary request, you don't care who told you.

That can only  be truly not a concern, if the primary is DNSSEC
verified. So, for the non-DNSSEC, it feels like a substantial problem.
But then.. the only way out is to BE DNSSEC aware. There's not much
choice.

I'm not convinced this "glue doesn't have to be validated" thing is
true, but the problem latent in this is the recursive time/compute
cost of chasing all out-of-baliwick data, to verify its status in
DNSSEC.

Love to hear other people's POV on this. Maybe it is a false meme on
my part? Maybe glue HAS to be checked and validated, no matter what?

-G

On Wed, Jul 28, 2021 at 2:16 PM John Levine <johnl@taugh.com> wrote:
>
> It appears that Paul Wouters  <paul@nohats.ca> said:
> >On Tue, 27 Jul 2021, John R Levine wrote:
> >
> >> Well, OK.  How about this?
> >>
> >>       foo.example NS ns.bar.example
> >>       ns.foo.example AAAA 2001:0DB8:0000:000b::1
> >>
> >>       bar.example NS ns.abc.example
> >>       ns.bar.example AAAA 2001:0DB8:0000:000b::2
> >>
> >>       abc.example NS ns.def.example
> >>       ns.abc.example AAAA 2001:0DB8:0000:000b::3
> >>
> >>       def.example NS ns.foo.example
> >>       ns.def.example AAAA 2001:0DB8:0000:000b::4
> >>
> >> (I would have gone all the way to ns.xyz.example but it's tine for bed here)
> >>
> >> We don't try to make NS loops work across zones, so I don't see the point of
> >> sorta kinda trying to make them work sometimes.
> >
> >You still mis thepoint. In the case of def.example needing
> >ns.foo.example, the server can just check if it has glue for
> >ns.foo.example. It does, so it returns it. It is not going to
> >check whether or not this is a silly loop to .xyz.example or
> >beyond. There is no point in knowing that. It has an NS record
> >pointing to X. It has a glue record for X. So it includes the glue
> >record X.
>
> OK, so I ask for foo.example and I get
>
> ; answer
>  foo.example NS ns.bar.example
> ; additional
> ns.bar.example AAAA 2001:0DB8:0000:000b::2
>
> Does it check that's the right value for ns.bar.example?  How about with DNSSEC?  I suppose
>
> I still don't see the benefit of trying to make some loops work when we know that we
> can't make cross-zone loops work.
>
> R's,
> John
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop