On Thu, Feb 16, 2023 at 09:15:35PM -0500, Viktor Dukhovni wrote:
> There are many more. We see a steady stream of sibling-glue-related
> lookup failures, that are only resolved after going to the authoritative
> source for the actual IP addresses of the nameservers in question.
I undertook a more comprehensive look, with the .ORG TLD as a case in
point. There I find:
1. 349,332 unique host objects with one or more A or AAAA records.
2. 80,427 are in-bailiwick nameservers of their domain.
3. 6,466 are not nameservers of an ancestor .org name so only
useful as "sibling glue".
4. The remaining 262,575 appear to be garbage, detached from any .org
delegation's nameserver name! Why these are still in the zone is
rather a mystery.
This leaves 6,466 cases to examine more closely:
1. 3,773 are in complete agreement with the authoritative A/AAAA
records.
2. 1,447 have authoritative A/AAAA records completely distinct
from the sibling glue.
3. 1,414 return NXDOMAIN from the auth zone!
4. 74 return NODATA from the auth zone for both A and AAAA!
5. 213 return SERFAIL from the auth zone A and AAAA lookups.
Of the above, case "1" could perhaps reduce latency, but is otherwise
redundant (modulo exceedingly rare cyclic depedendencies).
So the question is whether in "2" the authoritative or sibling glue IPs
are in practice correct, and whether the auth A/AAAA resolution failures
from "3", "4" and "5" are better served by the sibling glue.
To that end, I took a random sample of 20 sibling NS names. These had
25 auth addresses and 21 sibling glue addresses.
Querying a domain each host is supposed to serve yields the below stats:
AUTH | GLUE
+------|-----
LIVE | 8 | 2
LAME | 4 | 0
TIMEOUT | 13 | 19
Of the 2 working sibling glue cases, one was also handled by the
corresponding auth IP.
So in this random sample, the sibling glue was only "better" 1 in 20
times, with 7 worse and the rest no difference (mostly timeouts). So
far, this does not look like a compelling argument for serving sibling
glue...
For cases "3", "4" and "5" I took 20 random nameservers of each type,
for a total of 62 associated sibling glue IPs. Querying each for
a name it is expected to serve the stats are:
NOERROR: 6
TIMEOUT: 44
REFUSED: 10
SERVFAIL: 2
Again, the sibling glue is mostly no better than nothing, but ~10% of
the sampled cases worked out.
Overall, I think the world would be better served without the sibling
glue, the incentives to keep it accurate are poorly aligned. As
suspected, where it differs from the authoritative data, it is almost
entirely junk.
--
Viktor.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
