On 4/12/23 21:17, Havard Eidnes wrote:
Reserving the term "a lame delegation" only for the case where
none of the delegated-to name servers serve the delegated zone
with DNS lookup service does at least not match my current
understanding of the term.
Much of the discussion of "lame
On 12 Apr 2023, at 20:33, Patrik Fältström wrote:
> And if you use anycast, where some of the servers in the anycast cloud
> respond and some do not?
On 12 Apr 2023, at 20:37, Joe Abley wrote:
> This is not a distinction that matters
This, and independently of whether
> you consider lameness
On 12 Apr 2023, at 21:37, Joe Abley wrote:
> With regard to a flock of drones providing service for a single nameserver I
> agree there are other exciting failure modes to look forward to. But, as
> before, I don't think we have a shortage of ways to describe them -- no need
> to economise by
On Wed, Apr 12, 2023 at 21:33, Patrik Fältström
wrote:
> On 12 Apr 2023, at 20:56, Niall O'Reilly wrote:
>
>> I have, or think I have, always understood the NS RRset at a zone
>> cut to advertise a set of delegations, each to a distinct server.
>
> And if you use anycast, where some of the
On 12 Apr 2023, at 20:56, Niall O'Reilly wrote:
> I have, or think I have, always understood the NS RRset at a zone
> cut to advertise a set of delegations, each to a distinct server.
And if you use anycast, where some of the servers in the anycast cloud respond
and some do not?
Patrik
> Joe Abley> One nameserver in the delegation set of a particular
> Joe Abley> child zone might provide non-authoritative
> Joe Abley> responses. By my usage, that nameserver is lame for
> Joe Abley> that zone. The delegation of that zone to that
> Joe Abley> nameserver is a lame delegation.
On 10 Apr 2023, at 20:42, Mats Dufberg wrote:
Delegation is an entity consisting of a set of name servers and, in
some cases, glue address records. One part of the delegation is to
provide the path to the child zone content.
While this may be a convenient way to consider things in an
Joe Abley> One nameserver in the delegation set of a particular child zone
might provide
Joe Abley> non-authoritative responses. By my usage, that nameserver is lame
for that zone.
Joe Abley> The delegation of that zone to that nameserver is a lame delegation.
Identified
Joe Abley> when
On 11Apr23, Warren Kumari apparently wrote:
> lame delegation
> lame server
Notwithstanding an unresponsive/unreachable server, perhaps due to an ephemeral
network
error, is there any scenario where a misconfigured server is not described as
lame in some
way?
Put another way, fixing a lame
On Mon, Apr 10, 2023 at 5:13 PM, Mats Dufberg <
mats.dufberg=40internetstiftelsen...@dmarc.ietf.org> wrote:
>
>
>
> mats> For the *delegation* to be lame it is not enough for one name
> mats> server to be ``broken''. The entire set must be such that the path
> mats> to the child zone content is
Mr Hunt!
On Mon, Apr 10, 2023 at 21:09, Evan Hunt wrote:
> On Mon, Apr 10, 2023 at 02:35:36PM +, Joe Abley wrote:
>> I continue to think that if you don't get a response, you can't tell
>> whether the delegation is lame. Lameness (as I use the term) relates the
>> configuration of the
mats> For the *delegation* to be lame it is not enough for one name
mats> server to be ``broken''. The entire set must be such that the path
mats> to the child zone content is not available.
mats> For individual name servers it could be meaningful that say that
mats> it is a *lame name server* in
mats> For the *delegation* to be lame it is not enough for one name
mats> server to be ``broken''. The entire set must be such that the path
mats> to the child zone content is not available.
mats> For individual name servers it could be meaningful that say that
mats> it is a *lame name server* in
Under this issue is a discussion on the meaning of “lame delegation” but I see
a focus on quality of individual name servers (in relation a certain zone).
Delegation is an entity consisting of a set of name servers and, in some cases,
glue address records. One part of the delegation is to
On Mon, Apr 10, 2023 at 02:35:36PM +, Joe Abley wrote:
> I continue to think that if you don't get a response, you can't tell
> whether the delegation is lame. Lameness (as I use the term) relates the
> configuration of the nameserver, not it's availability.
>
> So I prefer Duane's
>> Perhaps if we inverted the logic? I realize this does broaden the
>> fundamental definition but what if, instead of saying "gave
>> non-authoritative response" we define lame as "failed to give an
>> authoritatve/AA response"?
jtk> Isn't that what I originally suggested and Joe disagreed with?
On Mon, 10 Apr 2023 11:29:36 -0600
Paul Ebersman wrote:
> Perhaps if we inverted the logic? I realize this does broaden the
> fundamental definition but what if, instead of saying "gave
> non-authoritative response" we define lame as "failed to give an
> authoritatve/AA response"?
Isn't that
Perhaps if we inverted the logic? I realize this does broaden the
fundamental definition but what if, instead of saying "gave
non-authoritative response" we define lame as "failed to give an
authoritatve/AA response"?
>> I continue to think that if you don't get a response, you can't tell
>>
On Mon, 10 Apr 2023 14:35:36 +
Joe Abley wrote:
> I continue to think that if you don't get a response, you can't tell
> whether the delegation is lame. Lameness (as I use the term) relates
> the configuration of the nameserver, not it's availability.
>
> So I prefer Duane's formulation to
On Mon, Apr 10, 2023 at 16:30, John Kristoff wrote:
> On Mon, 10 Apr 2023 13:39:21 +
> "Wessels, Duane" wrote:
>
>> “A lame delegation is said to exist when one or more authoritative
>> servers designated by the delegating NS rrset or by the apex NS rrset
>> answers non-authoritatively for
On Mon, 10 Apr 2023 13:39:21 +
"Wessels, Duane" wrote:
> “A lame delegation is said to exist when one or more authoritative
> servers designated by the delegating NS rrset or by the apex NS rrset
> answers non-authoritatively for a zone”.
Perhaps, say "does not answer authoritatively for a
>> > Well, one would, in fact, expect a delegation to be a
>> > non-authoritative answer:
>>
>> Yes, but one would presume that before any of the two above
>> queries were sent, the recursive resolver already have cached the
>> delegation for jshsos.ksyunv5.com.
>
> It doesn't matter, there can be
On Thu, Apr 06, 2023 at 11:13:32PM +0200, Havard Eidnes wrote:
> > Well, one would, in fact, expect a delegation to be a non-authoritative
> > answer:
>
> Yes, but one would presume that before any of the two above
> queries were sent, the recursive resolver already have cached the
> delegation
> On 7 Apr 2023, at 07:13, Havard Eidnes wrote:
>
>> What I'm trying to suggest (resolver perspective), is that
>> questions of responsibility, ... are not something a resolver
>> can or should attempt to determine. All one can attempt to do
>> is classify query responses.
>
> Yes, I agree,
> What I'm trying to suggest (resolver perspective), is that
> questions of responsibility, ... are not something a resolver
> can or should attempt to determine. All one can attempt to do
> is classify query responses.
Yes, I agree, as far as a recursive resolver is concerned.
However, talking
On 03Apr23, Viktor Dukhovni apparently wrote:
> I believe that the most natural perspective is from the view point of a
> resolver attempting to classify a (non?)response to a query sent to an
> authoritative server.
It is certainly true that a resolver detects a lame delegation and has to deal
Thank you everyone for your feedback on the meaning of lame delegation. I
expected some different interpretations, although maybe not this many! I will
take this feedback to the SSAC work party for discussion there about whether or
not to use the term in the report (perhaps with a
On Tue, Apr 04, 2023 at 10:48:11PM +0200, Havard Eidnes wrote:
> > At the time such a delegation response is being processed by a resolver,
> > it looks just fine. Nothing to see here, move along (down the tree)...
>
> I disagree. If either ns1.provider.net or ns2.provider.net is not
>
>> > ; ANSWER
>> > ; AUTHORITY
>> > example.com. IN NS ns1.provider.net.
>> > example.com. IN NS ns2.provider.net.
>> >
>> > is a valid delegation response (and so not from this perspective a LAME
>> > delegation), whether or not the target servers actualy serve the zone.
>>
>> I
On Tue, Apr 04, 2023 at 06:40:55PM +0200, Havard Eidnes wrote:
> > ; ANSWER
> > ; AUTHORITY
> > example.com. IN NS ns1.provider.net.
> > example.com. IN NS ns2.provider.net.
> >
> > is a valid delegation response (and so not from this perspective a LAME
> > delegation), whether or
>> I believe that the most natural perspective is from the view point of a
>> resolver attempting to classify a (non?)response to a query sent to an
>> authoritative server.
>
> Another way of thinking about this perspective is that, e.g., a
> delegation response from a.gtld-servers.net (.COM
Joe Abley wrote on 2023-04-04 09:14:
> ...
I think it's pretty common to talk about one nameserver for a zone being lame
and another nameserver for the same zone not. Certainly that's not an uncommon
configuration to find in the wild.
I have always used "lame delegation" to refer to the
On Apr 4, 2023, at 11:49, Jared Mauch wrote:
> On Apr 3, 2023, at 4:50 PM, John Kristoff wrote:
>
>> Interesting dilemmas. I'm not sure there are obvious answers. Perhaps
>> lame delegation is the general concept, but specific failure modes need
>> better characterization?
>
> I suspect you
> On Apr 3, 2023, at 4:50 PM, John Kristoff wrote:
>
> Interesting dilemmas. I'm not sure there are obvious answers. Perhaps
> lame delegation is the general concept, but specific failure modes need
> better characterization?
I suspect you could declare a definition such as
If
On Mon, Apr 03, 2023 at 05:44:04PM -0400, Viktor Dukhovni wrote:
> I believe that the most natural perspective is from the view point of a
> resolver attempting to classify a (non?)response to a query sent to an
> authoritative server.
Another way of thinking about this perspective is that,
(Incorporating but not quoting various other responses in this thread,
implicitly, based on the dates they were sent.)
On Mon, Apr 3, 2023 at 1:02 PM Wessels, Duane wrote:
> Dear DNSOP,
>
> I am participating in an SSAC work party where we are writing about DNS
> delegations where a delegated
The shortest path out is to avoid use of the term and be explicit
about the 3 (false trichotomy: there may be more) cases. If they lack
labels, then number the bullet points or paragraphs and refer to them
as RSSAC-.A.B.[C|D|E] instances until the name(s) settle.
We're unlikely to terminate in a
On Mon, Apr 03, 2023 at 08:02:16PM +, Wessels, Duane wrote:
> I am participating in an SSAC work party where we are writing about
> DNS delegations where a delegated name server might be available for
> registration, allowing an attacker to participate in the resolution
> for the domain.
ufb...@internetstiftelsen.se>
Technical Expert
Internetstiftelsen (The Swedish Internet Foundation)
Mobile: +46 73 065 3899
https://internetstiftelsen.se/
From: DNSOP on behalf of Wessels, Duane
Date: Monday, 3 April 2023 at 22:03
To: dnsop@ietf.org
Subject: [DNSOP] Meaning of lame delegation
Dear DNSOP,
On Mon, 3 Apr 2023 20:02:16 +
"Wessels, Duane" wrote:
> (1) NS.EXAMPLE.ORG resolves to an IP address. Queries to the IP
> address result in a REFUSED, SERVFAIL, upward referral, or some other
> indication the name server is not configured to serve the zone.
May be lame. I could imagine an
>> There are three possible situations in which this might be
>> considered a lame delegation:
>
> (4) What if NS.EXAMPLE.ORG does respond to EXAMPLE.NET queries
> but claims that the correct name server is NS.EXAMPLE.COM?
>
> Does that make the delegation NS "lame" since resolvers
>
On 03Apr23, Wessels, Duane apparently wrote:
> Naturally, we turned to RFC 8499, DNS Terminology, but found the entry not
> particularly helpful
Having recently been involved in writing a tool to check delegations and report
errors in
a "call to action" way for generalist admins, I agree that
> Dear DNSOP,
>
> I am participating in an SSAC work party where we are writing
> about DNS delegations where a delegated name server might be
> available for registration, allowing an attacker to participate in
> the resolution for the domain. During report drafting we
> considered using the
Dear DNSOP,
I am participating in an SSAC work party where we are writing about DNS
delegations where a delegated name server might be available for registration,
allowing an attacker to participate in the resolution for the domain. During
report drafting we considered using the term "lame
44 matches
Mail list logo