I followed previous discussions on this draft but don't remember all of
the details, so I may be rehashing some old discussions (in which case
that's not intentional...)
Overall: I think the idea is useful and it's eventually worth
publishing. But I've noticed a few non-trivial points that may have
to be addressed before publication.
- Section 1 (introduction), the first paragraph:
This document specifies how a child zone in the DNS ([RFC1034],
[RFC1035]) can publish a record to indicate to a parental agent that
it may copy and process certain records from the child zone. The
existence of and value change of the record may be monitored by a
parental agent and acted on as appropriate.
I vaguely remember someone already pointed this out, but anyway: I'm
afraid the term "parental agent" is not so widely shared that we can
safely use it without first giving the definition. One easy way to
address this would be to add a forward reference to Section 1.1 at
the first occurrence of the term. If possible, it would be even
nicer if we can avoid using this term until the definition is given
in Section 1.1. For the same reason, it would be safer to avoid
using it in the abstract.
- Section 3 (in general)
Do we need some way to avoid making the parental agent keep fetching
RRsets specified in CSYNC only to confirm they are still the latest?
draft-ietf-dnsop-delegation-trust-maintainance has a way to avoid
that by removing CDS/CDNSKEY once all parent name servers are
updated.
- In Section 3.1, it suggests a sequence of CSYNC and other followup
queries enclosed by SOA queries, and requires serials of the SOAs be
identical (with a MUST). I wonder if this is reliable enough for a
rapidly changing zone, such as those accepting dynamic updates at a
very high rate. We might say such cases are out of scope of this
mechanism, but I personally think such an environment is not so
deviant that a standard-track protocol can casually ignore. At the
very least I would like to see some explicit consideration text on
the expected limitation (if any) regarding this point
- Section 3.1
[...] If
state is being kept by the parental agent and the SOA serial number
is less than the last time a CSYNC record was processed, this CSYNC
record SHOULD NOT be processed. Similarly, if state is being kept by
the parental agent and the SOA Serial Field of the CSYNC record is
less than the SOA Serial Field of the CSYNC record from last time,
then this CSYNC record SHOULD NOT be processed.
I'm not sure about the point of these "SHOULD NOT"s. If it's okay
with ignoring mismatches with stored state, why would the parental
agent bother to keep the state in the first place? Since keeping
the state itself is optional, it seems to make more sense to use
"MUST NOT" here.
- Section 3.2
NS records found within the child's zone should be copied verbatim
and the result published within the parent zone should be an exact
matching set of NS records.
Does "verbatim" indicate that the TTL should also be copied? The
same question applies to Section 3.2.2, although "verbatim" isn't
used in that section.
- Section 3.2: what if the followup NS query results in 'no data'? Of
course, this means the child zone is broken, but if the parent also
removes the NS RRsets, subsequent resolution for the zone will
immediately fail at the parent zone; on the other hand, if the
parent just ignores such result and keeps the NS RRset (and if it's
actually still usable), subsequent resolution will still somehow
work in many cases in practice. I don't know if that's the desired
scenario, and we might rather make it fail sooner rather than
leaving the half-broken state longer. In any case, I think it would
be nicer to mention this case (and what the parent should do) in
this document.
- Section 4.2
We may want to be clearer about how the child name servers and their
addresses are determined to send CSYNC queries if they are not
manually configured. That is, this should essentially come from
the NS and AAAA/A records at the parent zone, and some of these may
be obsolete or even unusable at the time of query (in fact,
reflecting such changes is exactly the purpose of these queries).
This also means the child cannot simply update all NS (or AAAA or A)
records at once, making the old ones unworkable, and expect the
parent will catch up with it. This may be obvious in some sense,
but may still be worth noting.
- Section 4.3
Children deploying NS records pointing to domain-names within their
own children (the "grandchildren") SHOULD ensure the grandchildren's
associated glue records are properly set before publishing the CSYNC
record. I.e., it is imperative that proper communication and
synchronization exist between the child and the grandchild.
I'm afraid this setup requires more discussion. In the following
configuration:
parent: example.com.
child: child.example.com.
child.example.com. NS ns.grand.child.example.com.
grand.child.example.com. NS ns.grand.child.example.com.
ns.grand.child.example.com. AAAA 2001:db8::1
grand child: grand.child.example.com.
ns.grand.child.example.com. AAAA 2001:db8::1
If the AAAA record is changed, the child will update its CSYNC record
with setting the bit for AAAA. According to Section 3.1, the parental
agent will send a query for the AAAA record to the child's name
server, but it will return a delegation to the grandchild, not the
requested AAAA itself, let alone its RRSIG. The parental agent
could then resolve and verify the AAAA separately, but it breaks the
"atomicity" of the operation that this section seems to seek by
enclosing the whole set of queries with two SOA queries.
- Section 6: unfortunately code 61 was already registered for OPENPGPKEY.
[ To be removed prior to publication: The CDS (59), CDNSKEY (60) and
the CSYNC records are all conceptually similar - if the code-point 61
happens to still be Unassigned when the IANA processes this, it would
be nice if that could be used for this.]
- Editorial nits
- Section 2: s/these/three/
The CSYNC RRType contains, in its RDATA component, these parts: an
- Section 2: s/Section Section/Section/ (there are several instances
of this error)
data is processed is described in Section Section 3.
- Section 2: s/any anything/anything/ (?)
if any of the validation results indicate any anything other than
--
JINMEI, Tatuya