Re: [DNSOP] DNSOP rfc8499bis Interim followup consensus on historical definition of bailiwick
Hi Peter, On 06/03/2023 23:31, Peter Thomassen wrote: I just went over the updated wording in draft-ietf-dnsop-rfc8499bis-05, and the paragraph https://www.ietf.org/archive/id/draft-ietf-dnsop-rfc8499bis-05.html#section-7-2.36 caught my attention. It uses the term "zone origin", but doesn't say whether it relates to the parent or child zone. I was assuming the child, and it took me a while to make sense of it (until I noticed that it must mean the parent). Thank you for your clarification. This feedback will incorporated in a next revision of the document. I'd like to suggest clarifying that paragraph. That brings me to your question below: On 11/25/22 14:38, Benno Overeinder wrote: Thank you for your input and your suggestion to come up with a more specific terminology for the "historical" out-of-bailiwick term. In the definition of in-domain and sibling domain, you suggest using the 0th and 1st order in the definition? And for out-of-bailiwick use a term like "2nd+ order nameservers"? Pretty much. Here is a version of it that's hopefully better to grasp than my previous post, and has examples. There are various degrees of relationship between a delegation and its name servers. The degree depends on where theirdelegation paths from the root intersect with the delegated zone's delegation path. To establish the degree of relationship for a given name server, count how many zone cuts in the delegation path from the root to the zone of interest are shared by the delegation path of that name server. This is a measure of unrelatedness between the zone and its name server, called "degree ofkinship". If the degree is 0, then the NS hostname is "in-domain". For example, a delegation for "child.example.com" might have an in-domain name server called "ns.child.example.com". The name server name has all the zone cuts from the root that the delegated domain has. If this number is non-zero, then the delegation path to the name server name branches off from the zone's delegation path. The "degree of kinship" tells you how many zone cuts above the zone of interest this happens. For example, a delegation for "child.example.com" in the "example.com" zone might have a "sibling domain" name server called "ns.another.example.com", which does not share the final zonecut of "child.example.com". The branching is at "example.com", and the degree of kinship is 1. An unrelated relationship is one where the degree of kinship is larger than 1. For example, the delegation for "example.jp" might have an name server "ns.example.com". The delegation paths alreadydiverge at the root, 2 zone cuts above "example.jp". This may be a bit verbose, but I'm sure it can be reduced to four paragraphs, if needed, that are easier to digest than the four paragraphs the draft currently has for these definitions. While writing the above, I again stumbled over the term "unrelated name server". It could mean all kinds of things, such as a name server that doesn't claim to be authoritative. People don't always have the definitions at hand, and I think using that term is a risky choice (especially as "unrelated" is a word from every-day language). Thank you for further explaining your idea and concept of degree of kinship. The chairs agree that the term "unrelated" is a general/everyday language word and not very specific. We tried to come up with a better, more specific word, also with help from others, but we and the WG could not come up with a better term. While the degree of kinship is more specific and helps us define the term "unrelated", we feel it adds some complexity to the glue definition and is otherwise not used/relevant in the document. Therefore, we suggest that the authors stick to the use of the term "unrelated name server". Best regards, -- Benno ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] DNSOP rfc8499bis Interim followup consensus on historical definition of bailiwick
Hi Benno, all, I just went over the updated wording in draft-ietf-dnsop-rfc8499bis-05, and the paragraph https://www.ietf.org/archive/id/draft-ietf-dnsop-rfc8499bis-05.html#section-7-2.36 caught my attention. It uses the term "zone origin", but doesn't say whether it relates to the parent or child zone. I was assuming the child, and it took me a while to make sense of it (until I noticed that it must mean the parent). I'd like to suggest clarifying that paragraph. That brings me to your question below: On 11/25/22 14:38, Benno Overeinder wrote: Thank you for your input and your suggestion to come up with a more specific terminology for the "historical" out-of-bailiwick term. In the definition of in-domain and sibling domain, you suggest using the 0th and 1st order in the definition? And for out-of-bailiwick use a term like "2nd+ order nameservers"? Pretty much. Here is a version of it that's hopefully better to grasp than my previous post, and has examples. There are various degrees of relationship between a delegation and its name servers. The degree depends on where theirdelegation paths from the root intersect with the delegated zone's delegation path. To establish the degree of relationship for a given name server, count how many zone cuts in the delegation path from the root to the zone of interest are shared by the delegation path of that name server. This is a measure of unrelatedness between the zone and its name server, called "degree ofkinship". If the degree is 0, then the NS hostname is "in-domain". For example, a delegation for "child.example.com" might have an in-domain name server called "ns.child.example.com". The name server name has all the zone cuts from the root that the delegated domain has. If this number is non-zero, then the delegation path to the name server name branches off from the zone's delegation path. The "degree of kinship" tells you how many zone cuts above the zone of interest this happens. For example, a delegation for "child.example.com" in the "example.com" zone might have a "sibling domain" name server called "ns.another.example.com", which does not share the final zonecut of "child.example.com". The branching is at "example.com", and the degree of kinship is 1. An unrelated relationship is one where the degree of kinship is larger than 1. For example, the delegation for "example.jp" might have an name server "ns.example.com". The delegation paths alreadydiverge at the root, 2 zone cuts above "example.jp". This may be a bit verbose, but I'm sure it can be reduced to four paragraphs, if needed, that are easier to digest than the four paragraphs the draft currently has for these definitions. While writing the above, I again stumbled over the term "unrelated name server". It could mean all kinds of things, such as a name server that doesn't claim to be authoritative. People don't always have the definitions at hand, and I think using that term is a risky choice (especially as "unrelated" is a word from every-day language). Best, Peter PS: Sorry for digging up this old message (and for not responding earlier; I missed it). I'd love to hear from other DNSOP participants if there is any support for Peter or any other suggestions for a good, more specific alternative term for out-of-bailiwick? -- Benno ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop -- Like our community service? Please consider donating at https://desec.io/ deSEC e.V. Kyffhäuserstr. 5 10781 Berlin Germany Vorstandsvorsitz: Nils Wisiol Registergericht: AG Berlin (Charlottenburg) VR 37525 ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] DNSOP rfc8499bis Interim followup consensus on historical definition of bailiwick
Hi Peter, On 04/11/2022 00:52, Peter Thomassen wrote: On 11/3/22 17:44, Benno Overeinder wrote: Questions: 1b. Does this also mean changing the definition of "out-of-bailiwick" to a more historical definition as well? Or do we still need a term for in-domain name server, sibling domain name server and ... (alternative for out-of-bailiwick)? Is "unrelated name server" a term that can be used? I think "unrelated name server" is easy to misunderstand, as the term is unclear about what kind of relation it refers to. For example, a naive interpretation of an "unrelated" nameserver may be a sibling nameserver that is operated by another (unrelated) DNS provider. I would think that such misunderstandings will be frequent when this term is introduced. Think about various degrees of relationship, the following observation occurred to me. - in-domain nameservers are, in a sense, related to the 0th order (no delegations not shared between zone and NS), - sibling nameservers are related to 1st order (one delegation not shared, namely the one from the parent to the NS zone), - out-of-bailiwick nameservers are related to 2nd or higher order (example.com with ns1.example.net has 2 delegations not shared, namely the net delegation and the example.net delegation). One possible would thus be to establish terminology in terms of n-th order. E.g., sibling NS is a "1st-order foreign delegation NS" or something like that. -- I'm aware this sounds very bumpy, and it's simply what just occurred to me, not at all thought through. I'm also not trying to crash the interim results, just sharing the observation. If not helpful, ignore. :) Thank you for your input and your suggestion to come up with a more specific terminology for the "historical" out-of-bailiwick term. In the definition of in-domain and sibling domain, you suggest using the 0th and 1st order in the definition? And for out-of-bailiwick use a term like "2nd+ order nameservers"? I'd love to hear from other DNSOP participants if there is any support for Peter or any other suggestions for a good, more specific alternative term for out-of-bailiwick? -- Benno ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] DNSOP rfc8499bis Interim followup consensus on historical definition of bailiwick
Hi Libor, On 04/11/2022 12:15, libor.peltan wrote: Hi, I'm trying to understand this, but not sure if I do. What I see is: "The definition of bailiwick (in-b, out-of-b) is messed up and any further use of it in normative documents will probably lead to ambiguities. The proposed tactic is to stop using it and define a new term (in-domain) which means the same but it's definition will be precise and relevant in current state of DNS." If my understanding above is matching reality, then (note the implication) I agree with the proposed tactic. Indeed, your understanding is correct that is the intent of the question to the WG. Best, -- Benno Dne 03. 11. 22 v 22:44 Benno Overeinder napsal(a): Dear WG, With the DNSOP rfc8499bis interim in September, we had the action point to send two questions to the DNSOP WG to find consensus on the bailiwick and glue discussion. You can find the interim meeting material here https://datatracker.ietf.org/meeting/interim-2022-dnsop-02/session/dnsop and the recording of session here https://youtu.be/wY7-f40lDgU. We will send two questions to the WG, in two separate emails to keep the discussion separate. This email is the first question to the WG that addresses the definition of bailiwick. Questions: 1. Move Bailiwick to historical. 1a. During the interim, there was a (feeling of) consensus to drop a formal definition of "bailiwick", but keep a historical definition (how it was interpreted by) of "bailiwick". Also do not define and use the term "in-bailiwick". Suggested terms to use are "in-domain name server" and "sibling domain domain server", as defined and used in draft-draft-ietf-dnsop-glue-is-not-optional, section 2.1 and 2.2. [The latest draft of glue-is-not-optional does provide a definition of sibling domain name servers, but it does not really provide one for in-domain name servers. That would be easy to fix.] 1b. Does this also mean changing the definition of "out-of-bailiwick" to a more historical definition as well? Or do we still need a term for in-domain name server, sibling domain name server and ... (alternative for out-of-bailiwick)? Is "unrelated name server" a term that can be used? Thanks, -- Suzanne, Tim and Benno ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] DNSOP rfc8499bis Interim followup consensus on historical definition of bailiwick
Hi, I'm trying to understand this, but not sure if I do. What I see is: "The definition of bailiwick (in-b, out-of-b) is messed up and any further use of it in normative documents will probably lead to ambiguities. The proposed tactic is to stop using it and define a new term (in-domain) which means the same but it's definition will be precise and relevant in current state of DNS." If my understanding above is matching reality, then (note the implication) I agree with the proposed tactic. Libor Dne 03. 11. 22 v 22:44 Benno Overeinder napsal(a): Dear WG, With the DNSOP rfc8499bis interim in September, we had the action point to send two questions to the DNSOP WG to find consensus on the bailiwick and glue discussion. You can find the interim meeting material here https://datatracker.ietf.org/meeting/interim-2022-dnsop-02/session/dnsop and the recording of session here https://youtu.be/wY7-f40lDgU. We will send two questions to the WG, in two separate emails to keep the discussion separate. This email is the first question to the WG that addresses the definition of bailiwick. Questions: 1. Move Bailiwick to historical. 1a. During the interim, there was a (feeling of) consensus to drop a formal definition of "bailiwick", but keep a historical definition (how it was interpreted by) of "bailiwick". Also do not define and use the term "in-bailiwick". Suggested terms to use are "in-domain name server" and "sibling domain domain server", as defined and used in draft-draft-ietf-dnsop-glue-is-not-optional, section 2.1 and 2.2. [The latest draft of glue-is-not-optional does provide a definition of sibling domain name servers, but it does not really provide one for in-domain name servers. That would be easy to fix.] 1b. Does this also mean changing the definition of "out-of-bailiwick" to a more historical definition as well? Or do we still need a term for in-domain name server, sibling domain name server and ... (alternative for out-of-bailiwick)? Is "unrelated name server" a term that can be used? Thanks, -- Suzanne, Tim and Benno ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] DNSOP rfc8499bis Interim followup consensus on historical definition of bailiwick
On 11/3/22 17:44, Benno Overeinder wrote: Questions: 1. Move Bailiwick to historical. 1a. During the interim, there was a (feeling of) consensus to drop a formal definition of "bailiwick", but keep a historical definition (how it was interpreted by) of "bailiwick". Also do not define and use the term "in-bailiwick". Suggested terms to use are "in-domain name server" and "sibling domain domain server", as defined and used in draft-draft-ietf-dnsop-glue-is-not-optional, section 2.1 and 2.2. [The latest draft of glue-is-not-optional does provide a definition of sibling domain name servers, but it does not really provide one for in-domain name servers. That would be easy to fix.] 1b. Does this also mean changing the definition of "out-of-bailiwick" to a more historical definition as well? Or do we still need a term for in-domain name server, sibling domain name server and ... (alternative for out-of-bailiwick)? Is "unrelated name server" a term that can be used? I think "unrelated name server" is easy to misunderstand, as the term is unclear about what kind of relation it refers to. For example, a naive interpretation of an "unrelated" nameserver may be a sibling nameserver that is operated by another (unrelated) DNS provider. I would think that such misunderstandings will be frequent when this term is introduced. Think about various degrees of relationship, the following observation occurred to me. - in-domain nameservers are, in a sense, related to the 0th order (no delegations not shared between zone and NS), - sibling nameservers are related to 1st order (one delegation not shared, namely the one from the parent to the NS zone), - out-of-bailiwick nameservers are related to 2nd or higher order (example.com with ns1.example.net has 2 delegations not shared, namely the net delegation and the example.net delegation). One possible would thus be to establish terminology in terms of n-th order. E.g., sibling NS is a "1st-order foreign delegation NS" or something like that. -- I'm aware this sounds very bumpy, and it's simply what just occurred to me, not at all thought through. I'm also not trying to crash the interim results, just sharing the observation. If not helpful, ignore. :) Best, Peter -- https://desec.io/ ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] DNSOP rfc8499bis Interim followup consensus on historical definition of bailiwick
Dear WG, With the DNSOP rfc8499bis interim in September, we had the action point to send two questions to the DNSOP WG to find consensus on the bailiwick and glue discussion. You can find the interim meeting material here https://datatracker.ietf.org/meeting/interim-2022-dnsop-02/session/dnsop and the recording of session here https://youtu.be/wY7-f40lDgU. We will send two questions to the WG, in two separate emails to keep the discussion separate. This email is the first question to the WG that addresses the definition of bailiwick. Questions: 1. Move Bailiwick to historical. 1a. During the interim, there was a (feeling of) consensus to drop a formal definition of "bailiwick", but keep a historical definition (how it was interpreted by) of "bailiwick". Also do not define and use the term "in-bailiwick". Suggested terms to use are "in-domain name server" and "sibling domain domain server", as defined and used in draft-draft-ietf-dnsop-glue-is-not-optional, section 2.1 and 2.2. [The latest draft of glue-is-not-optional does provide a definition of sibling domain name servers, but it does not really provide one for in-domain name servers. That would be easy to fix.] 1b. Does this also mean changing the definition of "out-of-bailiwick" to a more historical definition as well? Or do we still need a term for in-domain name server, sibling domain name server and ... (alternative for out-of-bailiwick)? Is "unrelated name server" a term that can be used? Thanks, -- Suzanne, Tim and Benno ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
