[dns-operations] Reporting glue as authoritive data -- Bug!

Paul Vixie paul at vix.com
Tue Jan 29 19:12:45 UTC 2008

> Yeah, the point is that you can interpret what's in 1034 too many different
> ways to say one has to be or the other.  Strident claims can be said that
> "glue is glue" and that would seem to be wise, but people actually running
> the name servers out there had reasons to go with glue as if it was cache.

when DNSSEC came along, this was one of the ambiguities that had to be nailed
down, and it was.  and BIND9 actually does respond this way, and many TLD's
and root name servers operate BIND9... so i don't think that the internet has
stopped working as a result of removing this ambiguity from the running code.

> My preference, given the choice between an running system and a compliant
> system, is to go with the one that runs.  The world wasn't built to conform
> to a specification.

and yet, no authority implementation that has a workaround in place for these
bad resolvers will be able to implement DNSSEC, unless they remove the work-
around or unless we decide that this ambiguity still exists if AD=0, which if
so ought to be documented somewhere (via IETF DNSEXT, not here!)

treating the ambiguity as a virtue or as an immutable part of the backdrop, or
pretending that nailing it down as BIND9 has done would be fatal, are each
unworkable for their various reasons.

More information about the dns-operations mailing list