[apps-discuss] draft-sullivan-domain-origin-assert-01.txt
John C Klensin <john-ietf@jck.com> Mon, 06 August 2012 02:46 UTC
Return-Path: <john-ietf@jck.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 918A221F8577 for <apps-discuss@ietfa.amsl.com>; Sun, 5 Aug 2012 19:46:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.599
X-Spam-Level:
X-Spam-Status: No, score=-103.599 tagged_above=-999 required=5 tests=[AWL=1.000, BAYES_00=-2.599, GB_I_INVITATION=-2, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mKymLujy0Jwb for <apps-discuss@ietfa.amsl.com>; Sun, 5 Aug 2012 19:46:30 -0700 (PDT)
Received: from bsa2.jck.com (bsa2.jck.com [70.88.254.51]) by ietfa.amsl.com (Postfix) with ESMTP id DB6FA21F853F for <apps-discuss@ietf.org>; Sun, 5 Aug 2012 19:46:29 -0700 (PDT)
Received: from localhost ([::1]) by bsa2.jck.com with esmtp (Exim 4.71 (FreeBSD)) (envelope-from <john-ietf@jck.com>) id 1SyDF2-0009fM-Gp; Sun, 05 Aug 2012 22:40:24 -0400
Date: Sun, 05 Aug 2012 22:46:28 -0400
From: John C Klensin <john-ietf@jck.com>
To: Andrew Sullivan <ajs@anvilwalrusden.com>, apps-discuss@ietf.org
Message-ID: <5A4FCAA5BA5F59D02EC64B1C@JCK-EEE10>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Subject: [apps-discuss] draft-sullivan-domain-origin-assert-01.txt
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Aug 2012 02:46:30 -0000
Andrew,
I find this document fairly troubling, largely for the reasons
we discussed briefly in Vancouver. I think your explanation of
the problem(s) and what you are trying to do is muddy, in part
because it seems to me that you are trying to solve too many
problems, some of them simply incompatible with the architecture
of the DNS. To make things worse, the terminology is confusing,
perhaps because of the old problem that existing DNS terminology
usage is, bluntly, a mess. In particular, the boundaries that
are more specifically discussed in "zone cut" terms (delegation
records and a requirement for an SOA record in the subsidiary
domain (and zone) are widely known as "administrative
boundaries". Your using that term, or even "administrative
realm" is an invitation to confusion and trouble, especially in
the absence of text that explicitly repudiates the earlier usage.
More broadly, what you are trying to do here is to overlay an
entirely different data structure --really a mesh-- on top of
the strict hierarchy (with weak aliases) DNS structure. That
mesh is multidimensional with the potential for arrangements by
related domain names, by ports, and by scheme/protocol. If very
much of that is used, one could easily end up with a lot of
these records at a given node, far exceeding the UDP limit and
possibly causing other problems. Worse, if a node makes an
assertion about some set of other nodes and they make
contradictory assertions (whether through malice, configuration
error, or attempts at cleverness the spec doesn't anticipate),
one could end up with a rather interesting mess. I note in that
regard that, in the general case, nothing ensures, or even
predicts, that port numbers of interest to a particular
situation will occupy continuous ranges. If they do not, even
an attempt to make an assertion about port numbers could result
in a lot of records.
Putting aside the nomenclature issues with "administrative"
mentioned above for a moment, I suggest that one could get a
good 90% solution simply by defining a "policy authority origin"
record that parallels the function and definition of the "DNS
administrative authority origin" indication and information
provided by the SOA record. That model fits nicely with the DNS
hierarchy (rather than trying to superimpose a new mesh on top
of it) -- it just clearly defines the two types of boundaries
separate from each other (which they are, of course).
The missing 10% includes protocol-sensitive machinery
("schemes"), and port-sensitive machinery, both of which we've
tended to avoid in the DNS architecture unless the relevant
records really are bound to particular protocols. It also
includes the ability for one node to make assertions about a
node elsewhere in the hierarchy without necessarily having
permission from the target node -- effectively repeating and
extending the problem we have with aliases (reinforced by the
limitations of DNSSEC in those cases). I think (although I'm
not yet ready to try to convince others), that it puts us
further into the situation of trying to build a trust model on
the integrity of registrars -- in today's environment, that
isn't a risk factor but a certain problem.
I can suggest some specific language to clarify the current
draft if that were appropriate, but I think you should consider
whether a much simpler model with provide most of the
functionality you are looking for with considerably less
potential complexity and the introduction of new risks.
Conversely, I think you should be required to really justify the
importance of port ranges, lists of URI schemes, and lists of
names that share owners rather than just putting those
capabilities in because (maybe) we know how.
While aspects of the "variant" story are clearly in your mind
(and I fear contributing to assorted fantasies of what the DNS
can do to help with that without getting any real value in
return), your one clear use case is the public suffix list and
related cookie issues -- and those do not require port ranges,
scheme lists, or identification of other domains with the same
ownership -- it only requires clear identification of the
administrative/control/ policy boundary.
best,
john
- Re: [apps-discuss] draft-sullivan-domain-origin-a… Andrew Sullivan
- [apps-discuss] draft-sullivan-domain-origin-asser… John C Klensin
- Re: [apps-discuss] draft-sullivan-domain-origin-a… John C Klensin