domain icon indicating copy to clipboard operation
domain copied to clipboard
verified publisher icon NLnetLabs

Don't emit glue records while walking a zone.

Open ximon18 opened this issue 3 months ago • 5 comments

Glue records are not actually part of the zone, they are just internal metadata used to help answer queries.

This causes unexpected additional records to be emitted by XFR out. See https://github.com/NLnetLabs/cascade/issues/222 for some context.

Note: Curretntly this PR targets the patches-for-nameshed-prototype branch but it should probably be merged into main, and then included in the patches branch afterwards (although we need to take whatever is good from the patches branch and get rid of it ASAP).

ximon18 avatar Oct 16 '25 09:10 ximon18

Hmm. I'm wondering about this. There can be explicitly defined glue records in the loaded zone, and there can be inferred glue records added to the zone tree to assist where explicit glue records were not defined. Perhaps explicit glue records are part of the zone and should also be emitted? Am I right? Does such a distinction exist in the code? Need to check.

ximon18 avatar Oct 16 '25 09:10 ximon18

Speaking in the context of Cascade: I think glue is part of the zone in the sense that it needs to end up at the public name servers (fetched via XFR from the publication server). Does this change affect that capability or is the change only relevant for signing?

mozzieongit avatar Oct 16 '25 09:10 mozzieongit

Out-of-zone glue definitely needs to be included in an AXFR. This needs to be de-duplicated, however, since the same nameservers can appear multiple times in the zone.

(Which makes me wonder how registries deal with different clients adding different glue for the same name server.)

partim avatar Oct 16 '25 12:10 partim

In the ideal case, a zone has glue only for nameservers that are in the child zone. In that case duplicates are not possible because the nameservers are at the registry level associated with zone. Registries that allow sibling glue do have all kind of interesting issues.

Philip-NLnetLabs avatar Oct 16 '25 12:10 Philip-NLnetLabs

Speaking in the context of Cascade: I think glue is part of the zone in the sense that it needs to end up at the public name servers (fetched via XFR from the publication server). Does this change affect that capability or is the change only relevant for signing?

This doesn't affect glue being served correctly, it only prevents incorrect serving of the same A/AAAA records N times when it should be served once. See https://github.com/NLnetLabs/cascade/issues/222 for an example of what it prevents.

ximon18 avatar Oct 16 '25 14:10 ximon18