To:
"D. J. Bernstein" <djb@cr.yp.to>
cc:
ngtrans@sunroof.eng.sun.com, namedroppers@ops.ietf.org, ipng@sunroof.eng.sun.com, dnsop@cafax.se
From:
Robert Elz <kre@munnari.OZ.AU>
Date:
Wed, 01 Aug 2001 20:52:13 +0700
In-Reply-To:
<20010801124445.30844.qmail@cr.yp.to>
Sender:
owner-dnsop@cafax.se
Subject:
Re: Joint DNSEXT & NGTRANS agenda
Date: 1 Aug 2001 12:44:45 -0000 From: "D. J. Bernstein" <djb@cr.yp.to> Message-ID: <20010801124445.30844.qmail@cr.yp.to> | This ``perverse method'' has been used by all versions of BIND since | 1997, and of course by every version of my cache. The need for it is | explained in detail in http://cr.yp.to/djbdns/notes.html. I haven't looked to see whether BIND really does that or not, but there is certainly no need for it (and I actually doubt it a bit). To be more clear, the web page (originally) referred to suggests that the DNS should have originally used foo.example.com. IN NS 192.168.1.17 instead of foo.example.com. IN NS ns.example.com. ns.example.com. IN A 192.168.1.17 That is, advocating server resolution of indirection. If one were to assume that that is how things should be done, then one must also assume that a DNS packet containing foo.example.com. IN NS 192.168.1.17 encoded in some DNS format binary form would be acceptable. But apparently it isn't, if the DNS binary form is ... foo.example.com. IN NS trash-name. trash-name. IN A 192.168.1.17 where the 2nd occurrence of "trash-name." is, of course, just a pointer back to the first one using internal DNS name compression techniques. Given the currently adopted format for DNS packets, which contains a (compressible) label as the value of a NS RR, encoding the server side resolution of the NS record indirection in this (2 RR) way is the obvious thing to do - it retains compatability with the rest of the deployed DNS. The pair of RRs given there allow the IP address of the nameserver for the foo.example.com. domain to be located, which is what is needed to actually use it to lookup names in the foo.example.com. domain of course. That's exactly the same as if the NS record had contained the address in the first place. The two encoding methods are isomorphic. For anyone to seriously claim that server side resolution of the indirection is the way things should be done, and that for some security or reliability related reason, this cannot be be made to work, begs credulity. Note: no-one said anything about caching the "trash-name. IN A .." record anywhere, or using it for any purpose at all, other than for finding the address of the nameserver for the domain. This works for NS records, it works for A6, it works for anything else, and is exactly as reliable and secure as would putting all of the data into one RR. The only difference is in the cases where the extra A record is not included with the original response, which is a deliberate choice to trade off some extra round trips (queries) (and hence lower reliability a little) for the extra flexibility it gives. | > for NS records, A6 0 should be used... | How is that going to be enforced? I didn't say it needed to be enforced - I was reacting to the suggestion that people were being encouraged to use A6 in the way your web page suggests. But if it were to be enforced, the place to do it would be when the delegation is done. eg: right now, if you attempt to delegate a domain in a zone I manage, your listed NS list will be checked, and if any of those is a CNAME, rather than having an A record (for IPv4 delegations) then I simply won't do the delegation. You either give the name an A record, or use a different NS name, or your domain isn't delegated. For IPv6 I can, if I desire, simply check that the A6 record of the NS is an A6 0 format - if that turns out to be the right thing to do (which the A6 RFC suggests it probably will be, but until we get it tested it is hard to know for sure). | Are caches going to abort NS lookups that involve A6 indirection? I expect not, as they don't necessarily abort NS lookups when a CNAME is found. That the resolver (a cache is just a storage mechanism for results that have been obtained previously, it is the resolver that is doing the lookup) is able to translate the name doesn't mean that it is the way that it should be deployed. | What about all the other ways that A6 can lead to loops? They will result in lookup failures - just as do CNAME loops, and NS loops, and all of the other ways that people can shoot themselves. If you want your names to be useful for people, you make sure they're entered in a way that works. If you don't care, then you don't, and people won't be able to use your name. That's the way it is now, it is the way it should remain. kre