Re: Joint DNSEXT & NGTRANS agenda

["D. J. Bernstein" <djb@cr.yp.to>]

Robert Elz writes:
> This is just standard glue processing (the way it is supposed to be
> done anyway).

That's not what the DNS standards say. RFC 1034 states quite clearly
that glue is necessary only for in-bailiwick names.

RFC 1537 says the same thing, and specifically recommends against glue
for out-of-bailiwick names. So does RFC 1912. So does the c.p.t-i.d FAQ:
``Adding [out-of-bailiwick glue] is a very bad idea.'' Of course, BIND
has thrown away out-of-bailiwick glue for years.

You claim that discrimination against out-of-bailiwick glue poses ``a
problem that can't easily be fixed.'' That's absurd. The fix is trivial:
use in-bailiwick names.

What's important---what avoids the reliability problems---is to have all
the information available on the server. This is why I tell my users to
select in-bailiwick names (the server _must_ collect the address in this
case) and to avoid CNAME records. It's also why I oppose A6 and DNAME.

> What your web page said was ...
>        Even if the address is provided, the cache won't accept it
>        because .net addresses are not within the bailiwick of a .com server;
>        this is the standard protection against poison.

You are taking this out of context. The crucial point is that the
address is _not_ provided. The next paragraph on my web page explains
this in more detail.

>   | The client avoids the extra lookups and the possibility of loops.
> And instead, the server does the extra lookups, and gets the possibility
> of loops?

Wrong. Server-side indirection never causes loops. You would understand
this if you read my web page: http://cr.yp.to/djbdns/killa6.html

---Dan