To:
"D. J. Bernstein" <djb@cr.yp.to>
cc:
ngtrans@sunroof.eng.sun.com, namedroppers@ops.ietf.org, ipng@sunroof.eng.sun.com, dnsop@cafax.se
From:
Robert Elz <kre@munnari.OZ.AU>
Date:
Thu, 02 Aug 2001 17:47:23 +0700
In-Reply-To:
<E15S0yz-000Ja9-00@psg.com>
Sender:
owner-dnsop@cafax.se
Subject:
Re: Joint DNSEXT & NGTRANS agenda
Date: Wed, 01 Aug 2001 11:44:37 -0700 From: "D. J. Bernstein" <djb@cr.yp.to> Message-ID: <E15S0yz-000Ja9-00@psg.com> | For example, when a .com server says barclays.com NS ns1.barclays.co.uk, | the client has to go look up the ns1.barclays.co.uk address. Is this | because the client is protecting itself against poison? No. It's because | the .com servers DO NOT HAVE THAT ADDRESS. What your web page said was ... Even if the address is provided, the cache won't accept it because .net addresses are not within the bailiwick of a .com server; this is the standard protection against poison. If the address is needed for correct operation, it is trivially easy for the COM server to be told it (or even go look it up, as a part of a server side indirection, other than the volume requirements in that particlar case). This is just standard glue processing (the way it is supposed to be done anyway). It is only this "standard protection against poison", which is totally bogus, as I showed in my last message, that would actually cause this to be a problem that can't easily be fixed. | Server-side indirection means that the server _does_ have the address. | In this case, the server can easily use an in-bailiwick name for the | address, so the normal anti-poisoning rules once again have no effect. But there's no poison involved, no-one ever said anything about putting anything in the cache. All that's relevant is that the address be associated with the NS record for the purposes of finding the nameserver, right now. What the name is should be 100% irrelevant. | The client avoids the extra lookups and the possibility of loops. And instead, the server does the extra lookups, and gets the possibility of loops? One of the design goals of many protocols (I wasn't around for the original DNS design, so I can't say for sure it was one here, but I wouldn't be surprised if it was) is to take the hard work away from the critical point, and distribute it. In this scenario, the DNS server is the critical point, the clients are distributed all over. DNS servers typically have lots of queries to answer - clients usually have nothing much else to do while doing the name lookup. Having the client do more work to make less work for the server is an attractive proposition - even if that means more overall work for the internet as a whole. | The reason I recommend in-bailiwick names within the existing DNS | architecture is that those names force the server to collect the | address. Putting IP addresses into NS records directly would have the | same beneficial effect. As my previous message showed, if implemented properly, any name can have the same benefit of the server knows the address, so can supply it. If the server doesn't know the address, then we're asking that the additional work be done at the point where it can be done with less impact. kre