On Tue, Mar 28, 2023 at 8:24 AM Peter Thomassen <pe...@desec.io> wrote:
> > > On 3/28/23 03:14, Shumon Huque wrote: > > On Tue, Mar 28, 2023 at 3:45 AM Viktor Dukhovni <ietf-d...@dukhovni.org > <mailto:ietf-d...@dukhovni.org>> wrote: > > > > On Wed, Mar 01, 2023 at 04:27:31PM -0500, Shumon Huque wrote: > > Can we at least state that domains with cyclic dependencies are a bad > > idea, and may not be supported by all resolvers. In other words, > that > > the domain owner can't **rely** on the sibling glue recommended to be > > sent in this draft to save the day. > > > > My strong preference is still to delete all reference in the draft to > > cyclic dependencies (i.e. not enshrine bad practice). Which leaves > > sibling glue primarily as a performance optimisation, and secondarily > > as a last resort when the nameserver IP addresses are wrong or gone > > from the authoritative zone (another bad practice). > > > > > > Viktor - I've so far not seen many other people speak up in support of > your > > position. I suspect this is because this draft was discussed to death > many > > months ago during long discussion threads on the list, and there is > likely > > already rough consensus for the current content. Personally, I would be > ok > > with adding a statement that configurations involving cyclic dependencies > > are not recommended, but others will likely have to also speak up in > support > > of this too. > > I support adding such a statement about cyclic dependencies. > As do I. > > In addition, I would support saying that data suggests that, while > (non-cyclic) glue records may have a benefit in certain cases, they > frequently are a source of harm (time-outs), and the trade-off remains > unclear. > I would support this as well. In my anecdotal experience as an operator, I routinely encounter mismatches in sibling glue and child zone NS sets that appear to be due to the glue being forgotten. My assumption is that, because it's not necessary to operate, when operators fail to update it they don't receive any kind of signal that something is wrong. Viktor's numbers are pretty clear data, though, so nobody should need my anecdotes to be convinced. While sibling glue may be a useful optimisation in some cases, given how poorly maintained it is it seems to cause more problems than it solves.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
