[dns-operations] sibling glue

Joe Abley jabley at hopcount.ca
Tue Jun 23 17:18:59 UTC 2015 


On 23 Jun 2015, at 13:03, Tony Finch wrote:

> A question for those who know more about registry rules than me...
>
> In the .example zone there can be five kinds of delegation NS record
> (taking each record separately rather than the whole delegation NS 
> RRset).

I think there are probably as many answers to this as there are 
registries, and one size definitely doesn't fit all, but let's assume 
you're talking about the kind of EPP data model that grew out of the 
RRP-accessible registries that were operated by Verisign, back in the 
day (i.e. there are domain objects and host objects).

> The requirements I am stating below are from the DNS point of view 
> rather
> than from the registry point of view.

I think that's not going to help you get a clear answer, but let's give 
it a try. People who actually know how registries work can correct all 
the horrible mistakes I'm about to type. It has been a while. The EPP 
spec might be worth reading.

> glue-forbidden.example.		IN	NS	ns0.example.net.
> ;
> ; You must not provide glue when the name server host name is not a
> ; subdomain of the parent domain (.example in this case).

The EPP data model includes host objects and domain objects. Every 
domain is linked to one or more host objects (two or more in practice, 
for policy reasons orthogonal to the data model).

In this case the domain object glue-forbidden.example would be linked to 
a host object ns0.example.net. Since the host object's name is not 
subordinate to the zone to be produced by the registry, it has no 
addresses associated with it. Hence there is no possibility of producing 
a zone from the registry that includes glue records.

> not-glue.example.		IN	NS	ns1.example.
> ;
> ; A child zone's name server host name can be in the authoritative 
> data
> ; for the parent zone. This isn't glue.

In this case the domain object not-glue.example is linked to the host 
object ns1.example. Since the host object's name is subordinate to the 
zone to be produced by the registry (it's named under example) the host 
object must include one or more addresses. This means that the zone 
produced from the registry can include a glue record alongside the 
delegation.

Whether or not a glue record is actually included in the zone depends on 
the algorithm by which the zone is produced from the registry. The most 
simple algorithm is to include a delegation for every domain object and 
glue records for every host object, but other algorithms that 
distinguish between glue that is definitively required and glue that 
might not be required are surely possible.

Of course, it's still possible to shoot yourself in the foot, e.g.

$ORIGIN COW.
DOMAIN IN NS A.DOMAIN.HORSE.
           NS B.DOMAIN.HORSE.

$ORIGIN HORSE.
DOMAIN IN NS A.DOMAIN.COW.
           NS B.DOMAIN.COW.

No glue is possible to include in either of the COW or HORSE zones (the 
corresponding host objects have no address attributes) and hence none of 
{A, B}.DOMAIN.{COW, HORSE} can ever be resolved unless the nameservers 
for COW or HORSE are also authoritative for the DOMAIN.COW or 
DOMAIN.HORSE zones.

> glue-required.example.		IN	NS	ns2.glue-required.example.
> ;
> ; You must provide glue when a child zone has a name server whose host
> ; name is a subdomain of the child zone's apex.

I don't think that condition is part of the EPP data model; the criteria 
that matters here is that the host object's name is subordinate to the 
name of the zone produced from the registry, which means that one or 
more address records for the host are required.

> ; There are two cases where a child zone has a name server whose host 
> name
> ; is a subdomain of a different sibling child zone of the same parent 
> zone.
>
> sibling-must-glue.example.	IN	NS	ns2.glue-required.example.

Ditto.

> ; The name server of this child zone can also be a name server of its
> ; sibling zone, in which case the sibling delegation must provide 
> glue.
>
> sibling-may-glue.example.	IN	NS	ns3.sibling.example.

Ditto.

> ; The name server of this child zone can be a subdomain of its sibling
> ; zone but not a name server for the sibling zone. Glue is optional in
> ; this case.

The host object ns3.sibling.example requires one or more address 
attributes. Whether or not glue records are published depends on the 
zone publication algorithm, as above.


Joe

More information about the dns-operations mailing list