Re: [DNSOP] DELEG and parent only resolution
On 2/1/24 13:55, Havard Eidnes wrote: Stupid question time: The target of a DELEG alias cannot be stored in the child zone. It would not resolve if you do. Doesn't this mean that we can never get to an environment where there only exists DELEG records and no NS records, and still have a working DNS? DELEG records can contain IP addresses so they can replace NS+glue. OK, then I don't understand the reasoning behind the claim in the innermost quote above. What, then, exactly, prevents you from using a target of the DELEG record into the child zone, if it can be made equivalent to NS+glue? The impossibility is only in DELEG alias mode: When used in SVCB-style alias mode, the record doesn't carry any extra key-value pairs, so you can't include the IP address hints. The result would be comparable to a glueless in-bailiwick delegation, leaving the resolver clueless as to how to proceed ... Best, Peter -- https://desec.io/ ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] DELEG and parent only resolution
>>Stupid question time: >> >>> The target of a DELEG alias cannot be stored in the child >>> zone. It would not resolve if you do. >> >> Doesn't this mean that we can never get to an environment where >> there only exists DELEG records and no NS records, and still have >> a working DNS? > > DELEG records can contain IP addresses so they can replace NS+glue. OK, then I don't understand the reasoning behind the claim in the innermost quote above. What, then, exactly, prevents you from using a target of the DELEG record into the child zone, if it can be made equivalent to NS+glue? Regards, - Håvard ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] DELEG and parent only resolution
In your letter dated Thu, 01 Feb 2024 10:17:33 +0100 (CET) you wrote: >Stupid question time: > >> The target of a DELEG alias cannot be stored in the child >> zone. It would not resolve if you do. > >Doesn't this mean that we can never get to an environment where >there only exists DELEG records and no NS records, and still have >a working DNS? DELEG records can contain IP addresses so they can replace NS+glue. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] DELEG and parent only resolution
Stupid question time: > The target of a DELEG alias cannot be stored in the child > zone. It would not resolve if you do. Doesn't this mean that we can never get to an environment where there only exists DELEG records and no NS records, and still have a working DNS? Regards, - Håvard ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] DELEG and parent only resolution
>Let me just point out a key distinction: the typical use case >of DELEG should be kind-of child centric. Most people will only use a simple alias-mode DELEG at the parent, pointing somewhere >into their DNS hoster's namespace. That's practically important, >because all the information can then be managed by that entity >without touching the parent (e.g. on KSK rollovers). To avoid confusion, we should avoid calling DELEG in alias mode 'child centric'. The target of a DELEG alias cannot be stored in the child zone. It would not resolve if you do. Resolvers cannot judge whether the alias at the parent seems sensible or not. So if the parent makes a mistake and points the alias to a random other DNS provider then resolvers will just blindly follow that link even if they have the child zone cached already. Personally, I think that is fine. I think a parent delegates name space to a child, the parent can also take it back and point it somewhere else. However for people who feel strong about child centric, something else might be needed. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] DELEG and parent only resolution
On 31/01/2024 09.16, Joe Abley wrote: It seems important to be prepared for a long transition phase [...] Yes, that's been well known since the very beginning of the discussions at IETF 118. Support in resolvers will also take years to deploy widely, even for relatively simple changes. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] DELEG and parent only resolution
On 31 Jan 2024, at 09:04, Vladimír Čunát wrote: > On 30/01/2024 07.55, Kazunori Fujiwara wrote: >> It proposes new name resolution using only information on the parent side. > Let me just point out a key distinction: the typical use case of DELEG should > be kind-of child centric. Most people will only use a simple alias-mode > DELEG at the parent, pointing somewhere into their DNS hoster's namespace. > That's practically important, because all the information can then be managed > by that entity without touching the parent (e.g. on KSK rollovers). > I agree that configuration has advantages and I like that picture of the future. However, that will require new metadata to be bundled with domain registration in transactions between registrant and registrar and between registrar and registry. There are various reasons why that might take a while, even in the most optimistic success scenario for DELEG. It seems important to be prepared for a long transition phase during which the only delegation information that is passed to domain registries and published in the DNS is that which is passed today, mainly nameserver names, some nameserver addresses in certain cases, and DS RDATA for those sprinkling of child zones whose delegations are secure. If registry operators use DELEG in their TLDish zones under those circumstances it will not be alias-mode; it will be a simple translation of the NS and DS RRSETs used in old-style delegations. Joe___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] DELEG and parent only resolution
On 30/01/2024 07.55, Kazunori Fujiwara wrote: It proposes new name resolution using only information on the parent side. Let me just point out a key distinction: the typical use case of DELEG should be kind-of child centric. Most people will only use a simple alias-mode DELEG at the parent, pointing somewhere into their DNS hoster's namespace. That's practically important, because all the information can then be managed by that entity without touching the parent (e.g. on KSK rollovers). --Vladimir | knot-resolver.cz ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] DELEG and parent only resolution
To your last point, I've proposed some examples of how "alpn" and "tlsa" ought to work here: https://github.com/fl1ger/deleg/pull/16/files --Ben Schwartz From: DNSOP on behalf of Kazunori Fujiwara Sent: Tuesday, January 30, 2024 1:55 AM To: dnsop@ietf.org Subject: [DNSOP] DELEG and parent only resolution !---| This Message Is From an Untrusted Sender You have not previously corresponded with this sender. |---! I read draft-dnsop-deleg-00. It proposes new name resolution using only information on the parent side. In the past, the dnsop WG debated parent centric name resolution and child centric, and some people did not like parent centric. If people prefer parent-centric/parent-only name resolution, there are solutions other than DELEG, such as parent centric name resolution, distinguishing the handling of authoritative data, referrals, and glue, and adding a signature of referral/in-domain in the parent. Is anyone interested in proceeding with minor fixes that are not DELEG? Previously, I prposed draft-fujiwara-dnsop-resolver-update and draft-fujiwara-dnsop-delegation-information-signer. (They are too old and need to be updated.) Or, I would like to read complete version of draft-dnsop-deleg that have alpn and tlsa parameters. Regards, -- Kazunori Fujiwara, JPRS ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] DELEG and parent only resolution
I read draft-dnsop-deleg-00. It proposes new name resolution using only information on the parent side. In the past, the dnsop WG debated parent centric name resolution and child centric, and some people did not like parent centric. If people prefer parent-centric/parent-only name resolution, there are solutions other than DELEG, such as parent centric name resolution, distinguishing the handling of authoritative data, referrals, and glue, and adding a signature of referral/in-domain in the parent. Is anyone interested in proceeding with minor fixes that are not DELEG? Previously, I prposed draft-fujiwara-dnsop-resolver-update and draft-fujiwara-dnsop-delegation-information-signer. (They are too old and need to be updated.) Or, I would like to read complete version of draft-dnsop-deleg that have alpn and tlsa parameters. Regards, -- Kazunori Fujiwara, JPRS ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
