[dns-operations] [Security] Glue or not glue?

[Peter Koch]

On Mon, May 04, 2015 at 09:11:28AM +0200, Stephane Bortzmeyer wrote:

> agency) recommends to prefer delegations with glue because glueless
> delegations "may carry additional risks since they create a
> dependency". Is there any other "best practices" text which makes such
> a recommendation?
> 
> http://www.ssi.gouv.fr/entreprise/guide/bonnes-pratiques-pour-lacquisition-et-lexploitation-de-noms-de-domaine/
> (in french only)

After the re-discovery of AXFR "vulnerabilities" this is another old news.

There have been various research papers about "transitive trust" and suggestions
about "in bailiwick glue", which mostly view the system starting from an empty
cache.  The recommendation as such neglects the practicalities of maintaining
the glue RRSets in the parent zone. So, from the perspective of a registry, I'd
be a bit unhappy.

More importantly, while DNSSEC is mentioned in the paper, I do not see,
maybe due to lack of language skills , DNSSEC being recommended as explicitly
as "delegations with glue".

There are other recommendations that have turned out to be not free of
controversy in the past, like recommendation 9 on TTLs, not distinguishing
infrastructure and "leave" data as well as recommendation 14 on the RRL
slip value.

Getting these recommendations straight is not an easy task. Balancing between
different target audiences and breadth and depth of the advice versus available
space almost always makes it a matter of compromise and I'm sure the next version
might benefit from feedback by the community.

-Peter