Re: [DNSOP] unrelated name server name recommendation
Thanks, Daune, > From: "Wessels, Duane" > I understood Fujiwara’s proposal to be slightly different: > > If you are a DNS provider (hosting other zones) then the provider should use > in-domain name servers. > DW This is what I would like to propose. I would like good texts. As Shumon pointed that many DNS providers offer in-domain name server names, however, there are many "unrelated" name server names in use. I know that many DNS hosting providers use in-domain name servers in their infrastructure. (For example, Amazon/AWS, Cloudflare, ...) -- Kazunori Fujiwara, JPRS >> On Mar 4, 2024, at 3:14 PM, Paul Wouters wrote: >> >> On Mar 4, 2024, at 14:04, Paul Vixie >> wrote: >>> >>> >>> >>> this means a zone will always be reachable through at least one in-zone >>> data path (name server name and associated address records.) the result >>> would be that a full resolver would never have to pause its current lookup >>> while searching for address records matching an out-of-zone name server >>> name. >>> >>> i think it's a solid recommendation, >> >> It means every registrant, who doesn’t know about DNS, has to create host >> objects for glue and whenever the ISP changes nameserver names (eg gets >> bought, sold or merges), or IP address, the ISP has to talk to the >> registrant to fix things at their registry. I can promise you those >> in-domain name servers will quickly become very unreliable. >> >> Paul >> ___ >> DNSOP mailing list >> DNSOP@ietf.org >> https://secure-web.cisco.com/1a3MNvrMgvJke3ozLjb1HCuRHhuKPU4kcf25J9eCUq4p-aOa0Aqy6qmiTdxMr02KJy3Ai80ZFNKl9j_c-7cA3MZpUD5480mMQT5pKWiSiUhWWeiTjjFCC6bZdqrh-FHCqvl1sM64AGrDIt4zjPKgcxERVilTSw7U3KPYhiGQ1IMY8wwa-dVkcU7s4T0z9flJabKEE7sH-IvWVC-Sv4i0fKZUk1g-ek5vkhx5JIA8TeMvtjP17WZaKrO79M9HpU6TNwB0ypkRbRMX8btrJZ9nSBar6W3gL2W4TKNRPrzyBFB8/https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fdnsop > ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] unrelated name server name recommendation
On Sun, Mar 3, 2024 at 11:34 PM Kazunori Fujiwara wrote: > dnsop WG, > > "unrelated" (or, previosly called as out-of-bailiwick) name server names > are > necessary for DNS hosting providers. > Fujiwara-san, I have to nitpick your very first statement above. Many DNS providers do offer the ability to pick "vanity" or "custom" nameserver names, which their customers can use to deploy in-domain nameservers. This could be because the customer really does want to make DNS resolution efficient. But it could be for other reasons (branding, or some other perceived security reason). My employer uses such features extensively. This is not simply the customer pointing their own names at the provider's DNS server addresses. This is a contract with the provider that they will maintain that association and won't change the IP addresses from under them (the "going stale" problem) without advance notice and coordination. I think I agree with your general goal, but as others have remarked, there is no way to enforce this, so at best this could be a recommendation. Shumon. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] unrelated name server name recommendation
Paul Wouters wrote on 2024-03-04 11:14: On Mar 4, 2024, at 14:04, Paul Vixie wrote: this means a zone will always be reachable through at least one in-zone data path (name server name and associated address records.) the result would be that a full resolver would never have to pause its current lookup while searching for address records matching an out-of-zone name server name. i think it's a solid recommendation, It means every registrant, who doesn’t know about DNS, has to create host objects for glue and whenever the ISP changes nameserver names (eg gets bought, sold or merges), or IP address, the ISP has to talk to the registrant to fix things at their registry. I can promise you those in-domain name servers will quickly become very unreliable. not. the rest of the paragraph you quoted six words from above was: i think it's a solid recommendation, but can only be a SHOULD not a MUST, both because of the installed base / long tail, and the impossibility of enforcing it, and the market needs of parking lots. it's not a "has to". i expect it either won't be used when a sale is possible, or will be removed prior to such sale. i see fujiwara's proposal as a way to reduce distributed system complexity for those who can behave this way, and strictly as a recommendation. -- P Vixie ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] unrelated name server name recommendation
> On 4 Mar 2024, at 19:14, Paul Wouters wrote: > > It means every registrant, who doesn’t know about DNS, has to create host > objects for glue and whenever the ISP changes nameserver names (eg gets > bought, sold or merges), or IP address Er, no. It’ll be the registant’s registrar who will screw this up - not the registrant (who can’t even spell DNS). Besides in most cases, the it’ll be the registrar who looks after that delegation info and also provides DNS service for the registant’s domain name. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] unrelated name server name recommendation
I understood Fujiwara’s proposal to be slightly different: If you are a DNS provider (hosting other zones) then the provider should use in-domain name servers. DW > On Mar 4, 2024, at 3:14 PM, Paul Wouters wrote: > > On Mar 4, 2024, at 14:04, Paul Vixie > wrote: >> >> >> >> this means a zone will always be reachable through at least one in-zone data >> path (name server name and associated address records.) the result would be >> that a full resolver would never have to pause its current lookup while >> searching for address records matching an out-of-zone name server name. >> >> i think it's a solid recommendation, > > It means every registrant, who doesn’t know about DNS, has to create host > objects for glue and whenever the ISP changes nameserver names (eg gets > bought, sold or merges), or IP address, the ISP has to talk to the registrant > to fix things at their registry. I can promise you those in-domain name > servers will quickly become very unreliable. > > Paul > ___ > DNSOP mailing list > DNSOP@ietf.org > https://secure-web.cisco.com/1a3MNvrMgvJke3ozLjb1HCuRHhuKPU4kcf25J9eCUq4p-aOa0Aqy6qmiTdxMr02KJy3Ai80ZFNKl9j_c-7cA3MZpUD5480mMQT5pKWiSiUhWWeiTjjFCC6bZdqrh-FHCqvl1sM64AGrDIt4zjPKgcxERVilTSw7U3KPYhiGQ1IMY8wwa-dVkcU7s4T0z9flJabKEE7sH-IvWVC-Sv4i0fKZUk1g-ek5vkhx5JIA8TeMvtjP17WZaKrO79M9HpU6TNwB0ypkRbRMX8btrJZ9nSBar6W3gL2W4TKNRPrzyBFB8/https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fdnsop smime.p7s Description: S/MIME cryptographic signature ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] unrelated name server name recommendation
On 3/4/24 15:14, Paul Wouters wrote: It means every registrant, who doesn’t know about DNS, has to create host objects for glue and whenever the ISP changes nameserver names (eg gets bought, sold or merges), or IP address, the ISP has to talk to the registrant to fix things at their registry. I can promise you those in-domain name servers will quickly become very unreliable. For reference, Viktor's analysis from last year, on glue in .org: https://mailarchive.ietf.org/arch/msg/dnsop/EBT2_wg8XJkArA1boRX7GNSKdKw/ The analysis is focuses on sibling glue, not only in-domain, but my main takeaway is that 75% of them are stale. Peter -- https://desec.io/ ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] unrelated name server name recommendation
On Mar 4, 2024, at 14:04, Paul Vixie wrote: > > > > this means a zone will always be reachable through at least one in-zone data > path (name server name and associated address records.) the result would be > that a full resolver would never have to pause its current lookup while > searching for address records matching an out-of-zone name server name. > > i think it's a solid recommendation, It means every registrant, who doesn’t know about DNS, has to create host objects for glue and whenever the ISP changes nameserver names (eg gets bought, sold or merges), or IP address, the ISP has to talk to the registrant to fix things at their registry. I can promise you those in-domain name servers will quickly become very unreliable. Paul ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] unrelated name server name recommendation
Ben Schwartz wrote on 2024-03-04 07:20: To rephrase, it sounds like you are proposing a rule that zones should be configured to use at most one glueless delegation step. i think it's the inverse. according to fujiwara-san's comments each zone must have at least one in-zone name server name:> this means a zone will always be reachable through at least one in-zone data path (name server name and associated address records.) the result would be that a full resolver would never have to pause its current lookup while searching for address records matching an out-of-zone name server name. i think it's a solid recommendation, but can only be a SHOULD not a MUST, both because of the installed base / long tail, and the impossibility of enforcing it, and the market needs of parking lots. -- P Vixie ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] unrelated name server name recommendation
To rephrase, it sounds like you are proposing a rule that zones should be configured to use at most one glueless delegation step. Under this rule, one cannot place an "unrelated nameserver name" anywhere beneath a zone cut that itself uses an unrelated nameserver. Effectively, all zones below such a zone cut are "second class" zones for this purpose. This breaks a symmetry of the DNS: there are now two different kinds of zones, where previously there was only one. It's also strange that this distinction depends on the configuration of some parent or grandparent zone that is not controlled by the zone in question, and can change at any time. I appreciate that glueless delegations have some downsides, and may be worth avoiding in some cases, but I think the proposed rule is too restrictive. I would be more interested in a document (perhaps non-IETF) showing how adding complexity to your zone's resolution process impacts resolution time, error rate, and frequency of misconfigurations. --Ben Schwartz From: DNSOP on behalf of Kazunori Fujiwara Sent: Sunday, March 3, 2024 11:34 PM To: dnsop@ietf.org Subject: [DNSOP] unrelated name server name recommendation !---| This Message Is From an Untrusted Sender You have not previously corresponded with this sender. |---! dnsop WG, "unrelated" (or, previosly called as out-of-bailiwick) name server names are necessary for DNS hosting providers. However, it increases name resolution costs. Furthermore, it makes it easy to make mistakes like cyclic dependencies. So, I would like to make some recommendations on "unrelated" name server names. I submitted "draft-fujiwara-dnsop-unrelated-name-server-00" as a first step. https://datatracker.ietf.org/doc/draft-fujiwara-dnsop-unrelated-name-server/ I prposed that the domain names that host the name server names MUST be resolvable by delegations using one or more in-domain name server names. I'm not able to write well, I'm looking for good text. Let's improve the current DNS before DELEG RR. -- Kazunori Fujiwara, JPRS ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] unrelated name server name recommendation
dnsop WG, "unrelated" (or, previosly called as out-of-bailiwick) name server names are necessary for DNS hosting providers. However, it increases name resolution costs. Furthermore, it makes it easy to make mistakes like cyclic dependencies. So, I would like to make some recommendations on "unrelated" name server names. I submitted "draft-fujiwara-dnsop-unrelated-name-server-00" as a first step. https://datatracker.ietf.org/doc/draft-fujiwara-dnsop-unrelated-name-server/ I prposed that the domain names that host the name server names MUST be resolvable by delegations using one or more in-domain name server names. I'm not able to write well, I'm looking for good text. Let's improve the current DNS before DELEG RR. -- Kazunori Fujiwara, JPRS ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
