On 5 Mar 2018, at 08:14, Paul Hoffman <paul.hoff...@vpnc.org> wrote:

> Greetings. As you can see, draft-ietf-dnsop-terminology-bis-09.txt is out. 
> Reading the diff might be a bit difficult because of the reorganization of 
> some sections that y'all asked for, but I think the result is worth the extra 
> effort.
> We're still not done yet. I took a hiatus from finishing the list of 
> definitions that people wanted more scrutiny on, but will start that again 
> soon. I hope we'll be done with that list by mid-April and then be ready for 
> WG last call.
> As a side note, some of the changes in this version came from people reading 
> the document fresh. I encourage folks who were maybe waiting for WG Last Call 
> to do a first deep reading of the document to instead do so now. The work 
> that everyone is doing on this document will go a long way to making the 
> final RFC more valuable for lots of folks entering the field.

I’ve reviewed this, and I think it is a very useful document.

Here are my suggestions, which I hope will help.

My main suggestion is to recommend that people always avoid using the term “DNS 
server” or “name server”, since there are two very different kinds of “DNS 
server” or “name server”. Instead, people should diligently use the terms 
“authoritative server”, and “recursive resolver” to indicate which kind they 
are talking about. They have very different rôles, despite the fact that both 
can often be done with the same software package.

In your definition of “recursive resolver” I’d also include a note that this is 
a misnomer. It’s not recursive, in the classic computer science use of that 
term. A true “recursive resolver” would be one that forwarded its query to a 
different “recursive resolver”, and so on, until some terminating condition. 
That’s recursion in the classic computer science sense. Actually, a DNS 
“recursive resolver” is one that performs iterative resolution on behalf of the 
requester. The Recursion Desired (RD) bit might have been better specified as 
the Iteration Desired (ID) bit. I realize that’s not going to change, but we 
should document that dubious use of the term “recursive”.

In the abstract, expand the first mention of DNS:

   The Domain Name System (DNS) is defined in literally dozens of different 

In this text:

   Naming system:  A naming system associates names with data.  Naming
      systems have many significant facets that help differentiate them.
      Some commonly-identified facets include:
      *  Composition of names

I don’t know what “Composition of names” means in this context.

   Label:  An ordered list of zero or more octets and which makes up a
      portion of a domain name.  Using graph theory, a label identifies
      one node in a portion of the graph of all possible domain names.

A label alone does not uniquely identify a node in the graph. A label 
identifies one specific *child* node of the parent at that point in the graph.

      A domain name in the global DNS has a maximum total
      length of 255 octets in the wire format; the root represents one
      octet for this calculation.

Include a reference to Appendix C of RFC 6762 which discusses this topic: 

You may conclude that the assessment in RFC 6762 was wrong, but if so, the 
terminology document should say so explicitly, rather than just ignoring RFC 

      in both English and C the first label in the ordered list is
      right-most; but in Arabic it may be left-most

It’s not clear what “first” means here. Maybe write “root label” or “TLD” 

      Note that any label in a
      domain name can contain any octet value; hostnames are generally
      considered to be domain names where every label follows the rules
      in the "preferred name syntax", with the amendment that labels can
      start with ASCII digits (this amendment comes from Section 2.1 of

This might be a good point to describe the "preferred name syntax" of letters, 
digits and hyphens.

   Canonical name:  A CNAME resource record "identifies its owner name
      as an alias, and specifies the corresponding canonical name in the
      RDATA section of the RR."

This might be a good point to introduce the concept of a CNAME chain. The 
intention of a CNAME resource record is to give the canonical name, but the 
purported “canonical name” may itself be an alias of some other “canonical 

   Public suffix:  "A domain that is controlled by a public registry."
      (Quoted from [RFC6265], Section 5.3) A common definition for this
      term is a domain under which subdomains can be registered

I would say: “a domain under which subdomains can be registered by third 

Any domain can have subdomains registered. It’s the third-party aspect that 
makes a public registry different.

      a name server does not find an RRset that matches a query, but it
      finds the same name in the same class with a CNAME record, then
      the name server "includes the CNAME record in the response and
      restarts the query at the domain name specified in the data field
      of the CNAME record.

I think this is an example of where “name server” means “recursive resolver”.

   3.  DNS Response Codes

This lists NOERROR, FORMERR, SERVFAIL, etc. What about NOTAUTH?

   RRset:  A set of resource records with the same label, class and
      type, but with different data.

I think this should say: A set of resource records with the same owner name...

Why state a wrong definition (saying “label”), and then add a clarification 
correcting it?

      Similarly, an imputed definition
      of "resolution" might be "the answer received from resolving".

I would add that "resolution" might mean “the act of resolving”.

      While strictly
      the difference between these is that one of them sends queries to
      another recursive server and the other does not

One of them? One of what? Which one sends queries to another recursive server, 
and which does not?

   Full resolver:  This term is used in [RFC1035], but it is not defined
      there.  RFC 1123 defines a "full-service resolver" that may or may
      not be what was intended by "full resolver" in [RFC1035].  This
      term is not properly defined in any RFC.

So? What do we conclude from this?

   Recursive query:  A query with the Recursion Desired (RD) bit set to
      1 in the header.(See Section 4.1.1 of [RFC1035].)

Missing space.

   Iterative query:  Synonym for non-recursive query that happens to be
      a query in a series of recursive queries

I think you need to delete the word “recursive” here. “series of recursive 
queries” should just be “series of queries”

      the first server pursues the query for the client

I would say, “the first server pursues the query on behalf of the client”

      Note that it is
      possible for an authoritative server to respond to a query without
      the parent zone delegating authority to that server.

Can you elaborate how?

   Hidden master:  A stealth server that is a primary server for zone
      transfers.  "In this arrangement, the master name server that
      processes the updates is unavailable to general hosts on the
      Internet; it is not listed in the NS RRset."

The mention of “updates” here appears out of the blue. Can you elaborate?

      A hidden master can also be a secondary server itself.

I would say, “A hidden master for a zone can also be a secondary server for 
that zone itself.”

   Forwarding:  The process of one server sending a DNS query with the
      RD bit set to 1 to another server to resolve that query.

How about, “The process of one server sending a DNS query with the RD bit set 
to 1 to another recursive resolver to resolve that query.”

      That definition appears to suggest that forwarders
      normally only query authoritative servers.

I would say, “normally only query authoritative servers, which would make them 
recursive resolvers.”

   Anycast:  "The practice of making a particular service address
      available in multiple, discrete, autonomous locations, such that
      datagrams sent are routed to one of several available locations."
      (Quoted from [RFC4786], Section 2)

State that anycast means that the same IP address routes to different locations.

   Instance:  "When anycast routing is used...

Instead of “Instance” I would say, “Anycast Instance”

   Split DNS:  "Where a corporate network serves up partly or completely
      different DNS inside and outside its firewall.

I would say, “different DNS *views* inside and outside its firewall”.

      *  In-domain: an adjective to describe a name server whose name is
         either subordinate to...

I would say, “whose name is either a subdomain of...”

      *  Sibling domain: a name server's name that is either subordinate
         to or (rarely) the same as the zone origin and not subordinate
         to or the same as the owner name of the NS resource records.

I found this confusing. How about:

      *  Sibling domain: a name server's name that is either a subdomain of
         or (rarely) the same as the *parent* zone origin and not a subdomain of
         or the same as the owner name of the *child* NS resource records.

And here:

      "Out-of-bailiwick" is the antonym of in-bailiwick.  An adjective
      to describe a name server whose name is not subordinate to or the
      same as the zone origin.

Does this mean “a name server whose name is not a subdomain of or the same as 
the *parent* zone origin”?

      Glue records for out-of-bailiwick name servers are useless.

I would add: “... are useless, and possibly fraudulent.”

      It is noted that this definition might
      inadvertently also include any NS records that appear in the zone

What does “inadvertently” mean? Inadvertently how?

   Closest provable encloser:  "The longest ancestor of a name that can
      be proven to exist.  Note that this is only different from the

Would it be informative to say, “that can be *cryptographically* proven to 
exist” ?

   Fast flux DNS: ... It is often used to deliver malware.

Is this the whole story? I think short TTLs are also used to achive load 
balancing. The name “www.google.com” has a short TTL, but that’s not so that it 
can deliver malware.

   Reverse DNS, reverse lookup:  "The process of mapping an address to a

I would add that this is *not* IQUERY.

      During 2000, the abbreviation was
      redesignated to 'Address and Routing Parameter Area' in the hope
      of reducing confusion with the earlier network name."

This is mysterious and unenlightening. Please state what the earlier network 
name was.

Please say, “the abbreviation was redesignated from 'xxxx' to 'Address and 
Routing Parameter Area'”.

Otherwise, this text is just mysterious and confusing to the reader.

      These terms are strictly ways of referring to the
      relationship standing of two domains where one is a subdomain of
      the other.

Maybe we should state explicitly that “subordinate” is a synonym for 

      enumeration is different from zone content guessing where the
      guesser uses a large dictionary of possible labels

Can we elaborate on *how* it is different?

   DNSSEC Policy (DP):  A statement that "sets forth the security
      requirements and standards to be implemented for a DNSSEC-signed
      zone."  (Quoted from [RFC6841], Section 2)

   DNSSEC Practice Statement (DPS):  "A practices disclosure document
      that may support and be a supplemental document to the DNSSEC
      Policy (if such exists), and it states how the management of a
      given zone implements procedures and controls at a high level."
      (Quoted from [RFC6841], Section 2)

I’m unclear on what these mean. Can we add more explanatory text?

   These states are
   defined in [RFC4033] and [RFC4035], although the two definitions
   differ a bit.

Can we elaborate with more details about *how* these definitions differ?

Stuart Cheshire

DNSOP mailing list

Reply via email to