for a 200 in 200,000,000 problem? Ban it. -G
On Fri, Jan 7, 2022 at 9:46 AM Wessels, Duane <[email protected]> wrote: > > In order to make progress on the glue-is-not-optional draft, we need the > working group to reach consensus on the requirement level for sibling glue > (MUST, SHOULD, or MAY). > > The only situation in which a failure to include sibling glue leads to a > resolution failure is when there is a sibling glue cyclic dependency. e.g.: > > bar.test. 86400 IN NS ns1.foo.test. > bar.test. 86400 IN NS ns2.foo.test. > > foo.test. 86400 IN NS ns1.bar.test. > foo.test. 86400 IN NS ns2.bar.test. > > A few months back I analyzed the zone files available to me via CZDS for > sibling glue. Out of some 209,000,000 total delegations, 222 of them had > only sibling NS records in a cyclic dependency as above. The domains > ADOBE.NET and OMTRDC.NET is one real-world example. > > The arguments for making sibling glue a MUST are: > > 1. accommodates (the 0.0001% of) domains with cyclic sibling glue. > > 2. simpler to specify, don’t need differing requirements for in-domain and > sibling glue. > > The arguments against are: > > 1. domains with cyclic sibling delegations should be considered “broken” and > not expected to work, perhaps similar to TsuNAME-style external delegation > cycles. > > 2. increases response sizes, truncation probability, and amount of TCP. > > > DW > > > > > > On Oct 11, 2021, at 4:51 PM, Wessels, Duane <[email protected]> wrote: > > > > Dear DNSOP, > > > > Changes to this draft from the previous version are as follows: > > > > * Clarified scope to focus only on name server responses, and not > > zone/registry data. > > * Reorganized with section 2 as Types of Glue and section 3 as > > Requirements. > > * Removed any discussion of promoted / orphan glue. > > * Use appropriate documentation addresses and domain names. > > * Added Sibling Cyclic Glue example. > > > > I'd say we still do not have consensus on treatment of sibling glue. > > Section 3.2 currently has the strict requirements with optional more > > lenient requirements in [square brackets]: > > > > 3.2. Sibling Glue > > > > This document clarifies that when a name server generates a referral > > response, it MUST [SHOULD] include available sibling glue records in > > the additional section. If all sibling glue records do not fit in a > > UDP response, the name server MUST [is NOT REQUIRED to] set TC=1. > > > > > > DW > > > > > >> On Oct 11, 2021, at 4:30 PM, [email protected] wrote: > >> > >> Caution: This email originated from outside the organization. Do not click > >> links or open attachments unless you recognize the sender and know the > >> content is safe. > >> > >> A New Internet-Draft is available from the on-line Internet-Drafts > >> directories. > >> This draft is a work item of the Domain Name System Operations WG of the > >> IETF. > >> > >> Title : Glue In DNS Referral Responses Is Not Optional > >> Authors : M. Andrews > >> Shumon Huque > >> Paul Wouters > >> Duane Wessels > >> Filename : draft-ietf-dnsop-glue-is-not-optional-03.txt > >> Pages : 9 > >> Date : 2021-10-11 > >> > >> Abstract: > >> The DNS uses glue records to allow iterative clients to find the > >> addresses of nameservers that are contained within a delegated zone. > >> Authoritative Servers are expected to return all available glue > >> records in referrals. If message size constraints prevent the > >> inclusion of all glue records in a UDP response, the server MUST set > >> the TC flag to inform the client that the response is incomplete, and > >> that the client SHOULD use TCP to retrieve the full response. This > >> document updates RFC 1034 to clarify correct server behavior. > >> > >> > >> The IETF datatracker status page for this draft is: > >> https://datatracker.ietf.org/doc/draft-ietf-dnsop-glue-is-not-optional/ > >> > >> There is also an HTML version available at: > >> https://www.ietf.org/archive/id/draft-ietf-dnsop-glue-is-not-optional-03.html > >> > >> A diff from the previous version is available at: > >> https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-glue-is-not-optional-03 > >> > >> Internet-Drafts are also available by anonymous FTP at: > >> ftp://ftp.ietf.org/internet-drafts/ > >> > >> > >> _______________________________________________ > >> DNSOP mailing list > >> [email protected] > >> https://www.ietf.org/mailman/listinfo/dnsop > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
