Re: [dnsext] Failure to add glue MUST cause TC to be set.

[James Mitchell <james.mitchell@ausregistry.com.au>]

Whether it is a mis-configuration depends on the glue policy of the parent zone.

There would be a mis-configuration under a "narrow" policy, where glue RRs are registered if and only if the name server resides within or below the delegated (child) zone. On the other hand it would be fine under a "wide" policy, where glue RRs are registered if and only if the name server resides below the delegating (parent) zone.

Glue policy definitions came from http://tools.ietf.org/html/draft-koch-dns-glue-clarifications-04.

James

> -----Original Message-----
> From: dnsext-bounces@ietf.org [mailto:dnsext-bounces@ietf.org] On Behalf Of
> Mark Andrews
> Sent: Monday, 21 February 2011 9:58 AM
> To: George Barwood
> Cc: dnsext@ietf.org
> Subject: Re: [dnsext] Failure to add glue MUST cause TC to be set.
> 
> 
> In message <3D9B2A0D15F84DC6822FCF0FC6F8F214@local>, "George Barwood" writes:
> >
> > ----- Original Message -----
> > From: "Mark Andrews" <marka@isc.org>
> > To: "George Barwood" <george.barwood@blueyonder.co.uk>
> > Cc: <dnsext@ietf.org>
> > Sent: Sunday, February 20, 2011 9:07 PM
> > Subject: Re: [dnsext] Failure to add glue MUST cause TC to be set.
> >
> >
> > >
> > > In message <3764325DE7FA4B2F9B77387EBD15EAF8@local>, "George Barwood"
> writes:
> > >> >> ----- Original Message -----
> > >> >> From: "Mark Andrews" <marka@isc.org>
> > >> >> To: <dnsext@ietf.org>
> > >> >> Sent: Saturday, February 19, 2011 9:07 PM
> > >> >> Subject: [dnsext] Failure to add glue MUST cause TC to be set.
> > >> >>
> > >> >> > Below is a example of why TC should be set when glue cannot be added
> > >> >> > to the answer.
> > >> >> >
> > >> >> > [..]
> > >> >>
> > >> >> Agreed, but where exactly should the line be drawn?
> > >> >
> > >> > What line?  If the glue doesn't fit then the referral is not complete.
> > >> >
> > >> >> If omitting any glue leads to truncation, then many (non-DNSSEC)
> referrals
> > >> >> over UDP will have TC set. e.g.
> > >> >>
> > >> >> dig foo.com @a.root-servers.net
> > >> >
> > >> > Yes.
> > >> >
> > >> >> Is that sensible?
> > >> >
> > >> > Yes.
> > >> >
> > >> >> How much glue is enough?
> > >> >
> > >> > Depends on the delegation.  The only safe answer is all you have.
> > >>
> > >> One suggestion that might work is that glue which matchs QNAME+QTYPE MUST
> > >> be included, but other glue can be omitted.
> > >
> > > This does not work in all cases where glue needs to be returned.
> > >
> > > Zone A.net is served by servers in B.net.  Zone B.net is served by
> > > servers in A.net.
> >
> > So something like
> >
> >
> > But nothing will work in that case - if you make a recursive loop like this,
> > then there is no glue ( the name server names are not "below" the cut ) and
> > you have had it regardless.
> 
> Glue records are records in the parent zone to enable you to reach
> the servers for the child zone.  RFC 1034 gave a obvious example
> of such records.  There are less obvious examples.
> 
> > That's a mis-configuration, not a counter-example.
> 
> No. It is not a mis-configuration.
> 
> > George
> >
> > > Mark
> > > --
> > > Mark Andrews, ISC
> > > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > > PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
> 
> 
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
> _______________________________________________
> dnsext mailing list
> dnsext@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsext
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext