How long can an NS chain be?

["D. J. Bernstein" <djb@cr.yp.to>]

Suppose you're trying to find the address of www.come.to. You send out
some queries and receive a referral:

   come.to IN NS ns.greenlight.net
   come.to IN NS black.plant.nl

Neither name is in your cache, and there's no glue.

So you put the original request on hold and try to find the address of
ns.greenlight.net. You send out some queries and receive a referral:

   greenlight.net IN NS ns.visualtouch.com
   greenlight.net IN NS black.plant.nl

Neither name is in your cache, and there's no glue.

So you put ns.greenlight.net on hold too and try to find the address of
ns.visualtouch.com. And so on.

There's no guarantee in the DNS architecture that this chain will ever
terminate. In fact, there could be a cycle; length-1 cycles are required
to have glue, but longer cycles are not.

Suppose, however, that the NS chain does terminate. It could have any
length. Is it okay for people to set up an NS chain of length 5? 10? 30?
How far does a resolver have to go? How much memory do implementors have
to dedicate to a single request? Is it okay for a resolver to give up
after several steps? How many? Can a resolver ignore NS records without
glue if there are three NS records with glue? Two? What if those two
servers are unreachable?

The chance of finding glue is going to drop precipitously as new TLDs
are introduced. Chains are going to get longer and longer and longer,
even if nobody falls into the trap of setting up a cycle. Users of a
resolver with an excessively low NS chain limit will find themselves
completely unable to locate certain domains unless the cache is primed.
This is an interoperability problem.

---Dan