Re: [dnsext] Failure to add glue MUST cause TC to be set.
Brandon Black <blblack@gmail.com> Mon, 21 February 2011 01:10 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E0F543A6EAC; Sun, 20 Feb 2011 17:10:09 -0800 (PST)
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2813E3A6CC3 for <dnsext@core3.amsl.com>; Sun, 20 Feb 2011 17:10:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WBa6qrKN7t-3 for <dnsext@core3.amsl.com>; Sun, 20 Feb 2011 17:10:08 -0800 (PST)
Received: from mail-gw0-f42.google.com (mail-gw0-f42.google.com [74.125.83.42]) by core3.amsl.com (Postfix) with ESMTP id 34DA13A6EAC for <dnsext@ietf.org>; Sun, 20 Feb 2011 17:10:08 -0800 (PST)
Received: by gwj23 with SMTP id 23so1172642gwj.15 for <dnsext@ietf.org>; Sun, 20 Feb 2011 17:10:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=QnZ6hZKBne/On9F0M/oYqdrczb6z3r5gkxSu7TTiG9o=; b=phGkz+gZiM9b3GhZKmyN67GDSFzbt2DabIVfSNfCbERpWJEuxp+JXbtyi8VWg3NYIH LmBFFPESgiVbGQo1tJ3AS4zdHVjafkhyjrxgvaKxl+bYkedILRWvUY7UqGacbL+ApGdG eiJZL3ya9pKcRsnUFG0SwxlHfMu9W04sg19WM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=pGkZP3WBIZJl07Iu5zWuWTkipnTcBPZJhHYV/NbPpX/VdxfNtgj3E1+oh+N/YgcVt0 jrmG4v8W9pOWNbKNypgHKHkdNuqDF9GZn0bOBXjcdBP0/A+gcPlQr0sG/gCnjVAQe75K xkhGrePNsG7tlga7j9nzBsdHCLsLBjH0xfOC8=
MIME-Version: 1.0
Received: by 10.100.123.1 with SMTP id v1mr364945anc.267.1298250648019; Sun, 20 Feb 2011 17:10:48 -0800 (PST)
Received: by 10.101.68.7 with HTTP; Sun, 20 Feb 2011 17:10:47 -0800 (PST)
In-Reply-To: <20110220224741.2ED73A65B39@drugs.dv.isc.org>
References: <20110219210716.72943A5602B@drugs.dv.isc.org> <A02552CBBF2B42F5BA91D6E4EC23F31D@local> <20110220203156.C1F83A6526F@drugs.dv.isc.org> <3764325DE7FA4B2F9B77387EBD15EAF8@local> <20110220210758.81B93A65431@drugs.dv.isc.org> <AANLkTi=cG0G1ocAqGUie1NCa+qgL=_oipTVMpe-8AsfR@mail.gmail.com> <20110220224741.2ED73A65B39@drugs.dv.isc.org>
Date: Sun, 20 Feb 2011 19:10:47 -0600
Message-ID: <AANLkTikOQi7DcaPkdU8JfEVFwRAKtA93TB6Ug04qhvOD@mail.gmail.com>
From: Brandon Black <blblack@gmail.com>
To: Mark Andrews <marka@isc.org>
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Failure to add glue MUST cause TC to be set.
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
On Sun, Feb 20, 2011 at 4:47 PM, Mark Andrews <marka@isc.org> wrote: >> the same single server to trust the suspicious cross-zone >> glue from. > > Your trusting the parent to supply glue for names beneath it. You > *have* to trust the parent when it gives you this information. > These names are all within the baliwick of the parent. Yes, I was thinking incorrectly when I wrote that, re: A.net. and B.net. In the terms of the glue clarification draft James linked, I guess narrow glue is pretty much required to function if it exists, and wide glue can work (and is often necessary in examples like your A.net. vs B.net. one), although it does require some security policy and management on the part of the parent registrar. For an easy general-case rule, you'd probably only want to allow those authorized to make updates related to B.net.'s NS records to register other glue address records underneath B.net. upstream, but still allow A.net. admins to reference existing B.net. glue in their NS records. The case I was confusing this with (re: optimization, etc) was the case where there was no immediate common parent domain to host the cross-zone glue (e.g. A.net. NS ns1.B.org. + B.org. NS ns1.A.net.). In the special case that the org. and net. nameservers shared IP addresses (and were in fact the same namservers) and handed out cross-zone glue addresses for those cases, a smart enough resolver might figure it out and believe them based on the shared nameserver IPs ("I already know 192.0.2.3 is authoritative for org. from earlier, and now during a query for A.net to the same IP address, I'm seeing B.org. glue records and it's ok to believe them"), but a dumber resolver would be unable to see records in either domain if it implemented a sane basic security model (bailiwick of QNAME). I think we have to assume the simpler resolver behavior rather than try to construct schemes that rely on the "smarter" behavior, right? The optimization part is on the authoritative servers' part. Should an authoritative server ever serve glue that's outside the bailiwick of the delegation's parent zone, just because it knows those glue addresses are part of other "unrelated" zones it serves, and a resolver might be smart enough to figure out the relationship? I think the answer is no, it's not worth serving that glue. Most resolvers are going to send you a second query for it anyway based on the simple bailwick of QNAME security model. In general I think the smartest policy in light of all of this is to always put the NS names for a zone beneath that zone itself, even if the IPs refer to 3rd-party nameservers, but it certainly doesn't have to be a requirement to function. _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- Re: [dnsext] Failure to add glue MUST cause TC to… Tony Finch
- [dnsext] Failure to add glue MUST cause TC to be … Mark Andrews
- Re: [dnsext] Failure to add glue MUST cause TC to… Paul Vixie
- Re: [dnsext] Failure to add glue MUST cause TC to… bmanning
- Re: [dnsext] Failure to add glue MUST cause TC to… George Barwood
- Re: [dnsext] Failure to add glue MUST cause TC to… Brandon Black
- Re: [dnsext] Failure to add glue MUST cause TC to… Mark Andrews
- [dnsext] zone cut semantics Jim Reid
- Re: [dnsext] Failure to add glue MUST cause TC to… George Barwood
- Re: [dnsext] Failure to add glue MUST cause TC to… Mark Andrews
- Re: [dnsext] Failure to add glue MUST cause TC to… Brandon Black
- Re: [dnsext] Failure to add glue MUST cause TC to… George Barwood
- Re: [dnsext] Failure to add glue MUST cause TC to… Mark Andrews
- Re: [dnsext] Failure to add glue MUST cause TC to… Mark Andrews
- Re: [dnsext] Failure to add glue MUST cause TC to… James Mitchell
- Re: [dnsext] Failure to add glue MUST cause TC to… Brandon Black
- Re: [dnsext] Failure to add glue MUST cause TC to… Masataka Ohta
- Re: [dnsext] zone cut semantics Brandon Black
- Re: [dnsext] Failure to add glue MUST cause TC to… Mark Andrews
- Re: [dnsext] zone cut semantics Jay Ashworth
- Re: [dnsext] zone cut semantics Jim Reid
- Re: [dnsext] zone cut semantics Brandon Black
- Re: [dnsext] zone cut semantics Jay Ashworth
- Re: [dnsext] zone cut semantics Michael Graff
- Re: [dnsext] zone cut semantics Olafur Gudmundsson
- Re: [dnsext] Failure to add glue MUST cause TC to… Florian Weimer
- Re: [dnsext] Failure to add glue MUST cause TC to… Tony Finch
- Re: [dnsext] Failure to add glue MUST cause TC to… Tony Finch
- Re: [dnsext] zone cut semantics W.C.A. Wijngaards
- Re: [dnsext] zone cut semantics Joe Abley
- Re: [dnsext] Failure to add glue MUST cause TC to… George Barwood
- Re: [dnsext] Failure to add glue MUST cause TC to… George Barwood
- Re: [dnsext] Failure to add glue MUST cause TC to… Mark Andrews
- Re: [dnsext] Failure to add glue MUST cause TC to… George Barwood
- Re: [dnsext] Failure to add glue MUST cause TC to… Joe Abley