Re: [DNSOP] I-D Action: draft-ietf-dnsop-glue-is-not-optional-04.txt

Tue, 22 Mar 2022 15:05:00 -0700 


> On 23 Mar 2022, at 01:45, Ralf Weber <[email protected]> wrote:
> 
> Moin!
> 
> On 22 Mar 2022, at 14:43, Hugo Salgado wrote:
>> On 14:02 22/03, Ralf Weber wrote:
>>> However missing data might make it impossible for a name server to answer 
>>> with the correct (referral) glue data.
>>> 
>>> And maybe add some encouragement or referral ;-) to work that has to be 
>>> done elsewhere.
>>> 
>> 
>> The problem is with SIBLING glue records. The in-domain glues are of
>> course required and included in the zone.
> No, the problem with missing data is general. The (referral) glue records are 
> required, but it is possible to not supply them and break resolution. I think 
> in general a name server can only serve what it is given. So if you have a 
> zone example.com that has
> 
> sub.example.com. IN NS ns.sub.example.com.
> sub.example.com. IN NS ns.example.org.
> 
> that is valid data even if you check in zone glues (and not all servers check 
> that on load and the ones that do usually just issue a warning). It is very 
> easy to create wrong zone data that will lead to resolution errors, and there 
> is nothing an authoritative name server can do once it has accepted that 
> data. I actually just loaded the above example in Akamai AuthServe, ISC bind 
> and NLNetLabs NSD and all of them loaded it, and I could also load them even 
> without ns.example.org line on all of them.

Well for BIND missing glue on zone load was supposed to be made fatal with the 
BIND 9.5.0 release
See lib/dns/zone.c:zone_check_glue

                        /* XXX950 make fatal for 9.5.0. */
                        /* answer = false; */

> So if we say that we don’t put requirements on data or data generators 
> (registries) than we have to spell out that even a server that follows this 
> draft/RFC might not be able to serve answers according to the draft/RFC when 
> the data is not correct.
> 
> So long
> -Ralf
> ——-
> Ralf Weber
> 
> _______________________________________________
> DNSOP mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/dnsop

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: [email protected]

_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to