To:
Paul Vixie <vixie@vix.com>
Cc:
dnsop@cafax.se
From:
JINMEI Tatuya / �$B?@L@C#:H�(B
<jinmei@isl.rdc.toshiba.co.jp>
Date:
Thu, 20 Nov 2003 02:36:24 +0900
In-Reply-To:
<g3vfphnoy3.fsf@sa.vix.com>
Sender:
owner-dnsop@cafax.se
User-Agent:
Wanderlust/2.10.1 (Watching The Wheels) Emacs/21.3 Mule/5.0 (SAKAKI)
Subject:
Re: morishita-dnsop-misbehavior-against-aaaa
>>>>> On 19 Nov 2003 01:10:12 +0000,
>>>>> Paul Vixie <vixie@vix.com> said:
> if you learn of the existence of an NS RRset, most likely due to reception
> of a delegation response, but you do not know all of the glue (A and AAAA)
> for those NS.NSDNAMEs, then it's probably best that you go out and fetch it
> so that your own subsequent emissions of this NS RRset can include full glue.
> (a common cause of knowing an NS RRsets without full glue is "truncation".)
> however, it's important not to be overly aggressive in fetching such glue,
> where one definition of "overly" is "trying to fetch what doesn't exist."
> interrim (current, that is) BIND8 and BIND9 are overly aggressive, in that
> they will search for AAAA whenever its absence is felt during the
> construction of an additional data section. (and the root servers cried.)
Could you be more specific on "whenever its absence is felt"? As far
as I can see in the code, BIND9 seems to limit itself about fetching
missing glues when it knows the glue RR for the particular type
doesn't exist (that is, the "NOERROR and an empty answer" case). So,
if an appropriate negative TTL is provided, the fetching should be
leveraged.
I'm also not sure if this really makes the root servers cry. Consider
the typical case (as of today) where an authoritative server only has
an IPv4 address (and the corresponding A RR is provided, of course).
When a recursive name server first tries to fetch A/AAAA RRs for the
authoritative server, it may ask a root server. However, once the
recursive server knows the IPv4 address of the authoritative server,
succeeding queries for AAAA RRs will be directly sent to the
authoritative server, without making additional queries to root
servers (until the TTL for the cached A RRs expires).
A subtle situation may happen if the authoritative server "misbehaves"
as described in the morishita draft, though. For example, if the
server ignores queries for AAAA RRs, the recursive server may try to
fetch the AAAA RRs in an "overly aggressive" way.
> the right thing to do is query for both A and AAAA if you lack both A and
> AAAA. this can lead to the unfortunate corner case where silent truncation
> dropped an AAAA (or an A) RRset but left the A (or AAAA) in place. it's
> probably important to recommend the use of round robin to "spread the pain"
> during such corner case events. it's also important to prioritize the glue
> so that the kind most likely to be missed if absent (A RRs) are done first,
> since whenever AAAA RRs are going to be useful, EDNS0 will have been used.
I'd like to make the above points clear first, but anyway, another
possible way would be to introduce a timer before re-fetching missing
glues. I think BIND[89] already takes this approach for the case
where a remote server that did not support EDNS0 has then supported
the extension.
> is this an appropriate topic for the morishita or durand drafts?
I don't think the morishita draft is an appropriate of the issue
itself, since the draft is concentrating on how an authoritative
server (badly) responds to AAAA (or non-A in general )queries.
However, it might be useful to mention the issue as an effect of the
misbehavior (i.e., the subtle situation I mentioned above).
JINMEI, Tatuya
Communication Platform Lab.
Corporate R&D Center, Toshiba Corp.
jinmei@isl.rdc.toshiba.co.jp
#----------------------------------------------------------------------
# To unsubscribe, send a message to <dnsop-request@cafax.se>.
Home |
Date list |
Subject list