On 5 Mar 2018, at 08:14, Paul Hoffman <paul.hoff...@vpnc.org> wrote:
> Greetings. As you can see, draft-ietf-dnsop-terminology-bis-09.txt is out.
> Reading the diff might be a bit difficult because of the reorganization of
> some sections that y'all asked for, but I think the result is worth the extra
> effort.
>
> We're still not done yet. I took a hiatus from finishing the list of
> definitions that people wanted more scrutiny on, but will start that again
> soon. I hope we'll be done with that list by mid-April and then be ready for
> WG last call.
>
> As a side note, some of the changes in this version came from people reading
> the document fresh. I encourage folks who were maybe waiting for WG Last Call
> to do a first deep reading of the document to instead do so now. The work
> that everyone is doing on this document will go a long way to making the
> final RFC more valuable for lots of folks entering the field.
I’ve reviewed this, and I think it is a very useful document.
Here are my suggestions, which I hope will help.
My main suggestion is to recommend that people always avoid using the term “DNS
server” or “name server”, since there are two very different kinds of “DNS
server” or “name server”. Instead, people should diligently use the terms
“authoritative server”, and “recursive resolver” to indicate which kind they
are talking about. They have very different rôles, despite the fact that both
can often be done with the same software package.
In your definition of “recursive resolver” I’d also include a note that this is
a misnomer. It’s not recursive, in the classic computer science use of that
term. A true “recursive resolver” would be one that forwarded its query to a
different “recursive resolver”, and so on, until some terminating condition.
That’s recursion in the classic computer science sense. Actually, a DNS
“recursive resolver” is one that performs iterative resolution on behalf of the
requester. The Recursion Desired (RD) bit might have been better specified as
the Iteration Desired (ID) bit. I realize that’s not going to change, but we
should document that dubious use of the term “recursive”.
In the abstract, expand the first mention of DNS:
The Domain Name System (DNS) is defined in literally dozens of different
RFCs.
In this text:
Naming system: A naming system associates names with data. Naming
systems have many significant facets that help differentiate them.
Some commonly-identified facets include:
* Composition of names
I don’t know what “Composition of names” means in this context.
Label: An ordered list of zero or more octets and which makes up a
portion of a domain name. Using graph theory, a label identifies
one node in a portion of the graph of all possible domain names.
A label alone does not uniquely identify a node in the graph. A label
identifies one specific *child* node of the parent at that point in the graph.
A domain name in the global DNS has a maximum total
length of 255 octets in the wire format; the root represents one
octet for this calculation.
Include a reference to Appendix C of RFC 6762 which discusses this topic:
<https://tools.ietf.org/html/rfc6762#appendix-C>
You may conclude that the assessment in RFC 6762 was wrong, but if so, the
terminology document should say so explicitly, rather than just ignoring RFC
6762.
in both English and C the first label in the ordered list is
right-most; but in Arabic it may be left-most
It’s not clear what “first” means here. Maybe write “root label” or “TLD”
instead?
Note that any label in a
domain name can contain any octet value; hostnames are generally
considered to be domain names where every label follows the rules
in the "preferred name syntax", with the amendment that labels can
start with ASCII digits (this amendment comes from Section 2.1 of
[RFC1123]).
This might be a good point to describe the "preferred name syntax" of letters,
digits and hyphens.
Canonical name: A CNAME resource record "identifies its owner name
as an alias, and specifies the corresponding canonical name in the
RDATA section of the RR."
This might be a good point to introduce the concept of a CNAME chain. The
intention of a CNAME resource record is to give the canonical name, but the
purported “canonical name” may itself be an alias of some other “canonical
name”.
Public suffix: "A domain that is controlled by a public registry."
(Quoted from [RFC6265], Section 5.3) A common definition for this
term is a domain under which subdomains can be registered
I would say: “a domain under which subdomains can be registered by third
parties”.
Any domain can have subdomains registered. It’s the third-party aspect that
makes a public registry different.
If
a name server does not find an RRset that matches a query, but it
finds the same name in the same class with a CNAME record, then
the name server "includes the CNAME record in the response and
restarts the query at the domain name specified in the data field
of the CNAME record.
I think this is an example of where “name server” means “recursive resolver”.
3. DNS Response Codes
This lists NOERROR, FORMERR, SERVFAIL, etc. What about NOTAUTH?
RRset: A set of resource records with the same label, class and
type, but with different data.
I think this should say: A set of resource records with the same owner name...
Why state a wrong definition (saying “label”), and then add a clarification
correcting it?
Similarly, an imputed definition
of "resolution" might be "the answer received from resolving".
I would add that "resolution" might mean “the act of resolving”.
While strictly
the difference between these is that one of them sends queries to
another recursive server and the other does not
One of them? One of what? Which one sends queries to another recursive server,
and which does not?
Full resolver: This term is used in [RFC1035], but it is not defined
there. RFC 1123 defines a "full-service resolver" that may or may
not be what was intended by "full resolver" in [RFC1035]. This
term is not properly defined in any RFC.
So? What do we conclude from this?
Recursive query: A query with the Recursion Desired (RD) bit set to
1 in the header.(See Section 4.1.1 of [RFC1035].)
Missing space.
Iterative query: Synonym for non-recursive query that happens to be
a query in a series of recursive queries
I think you need to delete the word “recursive” here. “series of recursive
queries” should just be “series of queries”
the first server pursues the query for the client
I would say, “the first server pursues the query on behalf of the client”
Note that it is
possible for an authoritative server to respond to a query without
the parent zone delegating authority to that server.
Can you elaborate how?
Hidden master: A stealth server that is a primary server for zone
transfers. "In this arrangement, the master name server that
processes the updates is unavailable to general hosts on the
Internet; it is not listed in the NS RRset."
The mention of “updates” here appears out of the blue. Can you elaborate?
A hidden master can also be a secondary server itself.
I would say, “A hidden master for a zone can also be a secondary server for
that zone itself.”
Forwarding: The process of one server sending a DNS query with the
RD bit set to 1 to another server to resolve that query.
How about, “The process of one server sending a DNS query with the RD bit set
to 1 to another recursive resolver to resolve that query.”
That definition appears to suggest that forwarders
normally only query authoritative servers.
I would say, “normally only query authoritative servers, which would make them
recursive resolvers.”
Anycast: "The practice of making a particular service address
available in multiple, discrete, autonomous locations, such that
datagrams sent are routed to one of several available locations."
(Quoted from [RFC4786], Section 2)
State that anycast means that the same IP address routes to different locations.
Instance: "When anycast routing is used...
Instead of “Instance” I would say, “Anycast Instance”
Split DNS: "Where a corporate network serves up partly or completely
different DNS inside and outside its firewall.
I would say, “different DNS *views* inside and outside its firewall”.
* In-domain: an adjective to describe a name server whose name is
either subordinate to...
I would say, “whose name is either a subdomain of...”
* Sibling domain: a name server's name that is either subordinate
to or (rarely) the same as the zone origin and not subordinate
to or the same as the owner name of the NS resource records.
I found this confusing. How about:
* Sibling domain: a name server's name that is either a subdomain of
or (rarely) the same as the *parent* zone origin and not a subdomain of
or the same as the owner name of the *child* NS resource records.
And here:
"Out-of-bailiwick" is the antonym of in-bailiwick. An adjective
to describe a name server whose name is not subordinate to or the
same as the zone origin.
Does this mean “a name server whose name is not a subdomain of or the same as
the *parent* zone origin”?
Glue records for out-of-bailiwick name servers are useless.
I would add: “... are useless, and possibly fraudulent.”
It is noted that this definition might
inadvertently also include any NS records that appear in the zone
What does “inadvertently” mean? Inadvertently how?
Closest provable encloser: "The longest ancestor of a name that can
be proven to exist. Note that this is only different from the
Would it be informative to say, “that can be *cryptographically* proven to
exist” ?
Fast flux DNS: ... It is often used to deliver malware.
Is this the whole story? I think short TTLs are also used to achive load
balancing. The name “www.google.com” has a short TTL, but that’s not so that it
can deliver malware.
Reverse DNS, reverse lookup: "The process of mapping an address to a
I would add that this is *not* IQUERY.
During 2000, the abbreviation was
redesignated to 'Address and Routing Parameter Area' in the hope
of reducing confusion with the earlier network name."
This is mysterious and unenlightening. Please state what the earlier network
name was.
Please say, “the abbreviation was redesignated from 'xxxx' to 'Address and
Routing Parameter Area'”.
Otherwise, this text is just mysterious and confusing to the reader.
These terms are strictly ways of referring to the
relationship standing of two domains where one is a subdomain of
the other.
Maybe we should state explicitly that “subordinate” is a synonym for
“subdomain”?
Zone
enumeration is different from zone content guessing where the
guesser uses a large dictionary of possible labels
Can we elaborate on *how* it is different?
DNSSEC Policy (DP): A statement that "sets forth the security
requirements and standards to be implemented for a DNSSEC-signed
zone." (Quoted from [RFC6841], Section 2)
DNSSEC Practice Statement (DPS): "A practices disclosure document
that may support and be a supplemental document to the DNSSEC
Policy (if such exists), and it states how the management of a
given zone implements procedures and controls at a high level."
(Quoted from [RFC6841], Section 2)
I’m unclear on what these mean. Can we add more explanatory text?
These states are
defined in [RFC4033] and [RFC4035], although the two definitions
differ a bit.
Can we elaborate with more details about *how* these definitions differ?
Stuart Cheshire
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
