On Tue, Feb 21, 2023 at 11:49:40AM +0100, Ralf Weber wrote:
> > This leaves 6,466 cases to examine more closely:
> >
> > 1. 3,773 are in complete agreement with the authoritative A/AAAA
> > records.
> >
> > 2. 1,447 have authoritative A/AAAA records completely distinct
> > from the sibling glue.
> >
> > 3. 1,414 return NXDOMAIN from the auth zone!
> >
> > 4. 74 return NODATA from the auth zone for both A and AAAA!
> >
> > 5. 213 return SERFAIL from the auth zone A and AAAA lookups.
> >
> > Of the above, case "1" could perhaps reduce latency, but is otherwise
> > redundant (modulo exceedingly rare cyclic depedendencies).
>
> These “rare” cases where the domain is not resolvable when a glue is not
> present are the ones this draft is done for. So did you look how rare
> they were in your dataset? Being able to resolve instead of not resolving
> IMHO has value even if the number is not big.
Sure, there is *almost* one loop:
tsort: -: input contains a loop:
tsort: frogsoft.org.
tsort: frogid-server.org.
In the form of:
frogsoft.org. IN NS frogid-server.org.
frogid-server.org. IN NS frogsoft.org.
frogid-server.org. IN NS atelier-frogsoft.org.
atelier-frogsoft.org. IN NS frogid-server.org.
atelier-frogsoft.org. IN NS ns344725.ip-37-187-251.eu.
;
frogsoft.org. IN A 37.187.251.101
frogid-server.org. IN A 213.186.33.5
atelier-frogsoft.org. IN A 5.39.70.108
but the loop is not fully closed, because the ".eu" NS host is live
and returns:
atelier-frogsoft.org. IN A 37.187.251.101
The remaining glue IPs are either timing out or returning REFUSED, so
again, on the whole, the glue is worse than nothing.
> We all know that a lot of data in the DNS is garbage, that should not
> stop us from using the good data.
Sure, if the garbage were harmless, but, more frequently than not, the
sibling glue is worse than ignoring it and resolving the nameserver
addresses explicitly. The basic problem is that largely nobody is
minding the sibling glue, it just rots away, while "child-centric"
resolvers may do well by discarding it.
The case for resolving loops is particularly weak, perhaps someone
wants to instead motivate this based on the occasional success for
the otherwise non-resolving names? (I am still not convinced...)
Let the domain owners fix the garbage. We don't need to bend over
backwards serving muck just because some users are lazy. That only
delays the inevitable breakage, nobody is minding the farm.
--
Viktor.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
