> Abstract: > The DNS uses glue records to allow iterative clients to find the > addresses of nameservers that live within the delegated zone. Glue > records are expected to be returned as part of a referral and if they > cannot be fitted into the UDP response, TC=1 MUST be set to inform > the client that the response is incomplete and that TCP SHOULD be > used to retrieve the full response.
Mark, thank you for writing the draft. I agree this document is needed. It would be great if we resolved the discussion whether all existing glue records are required or whether some number of glue records is sufficient. I think it needs to be codified in the document. I tend to agree with the second camp. The motivation is clear, the resolvers need to be able to follow the delegation. However, with a large number of NS records, I don't want to force the resolver to retry if it already has enough information to follow the delegation. It has been also demonstrated that resolvers are pretty bad at picking the server with the best RTT if there are too many servers. The other motivation is just that large responses are possible reflection attack vectors so the DNS server operators may want to limit the number of glue records returned. We just opened this discussion internally at NS1 because we serve some zones with more than 10 NS records where each NS requires glue and our proprietary server by design adds glue only for the first four NS records. We are discussing if this is correct behavior if it needs to be revisited. I also think there is another proprietary implementation of an authoritative server in the wild which implements similar policy. It picks a small random subset of the NS records and adds A/AAAA just for these names. If the QNAME matches a name in the NS, A/AAAA for that NS is always included. I find this pretty smart. Kind regards, Jan _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
