Re: [apps-discuss] [IANA #900093] Re: draft-vesely-authmethod-dnswl

[Scott Kitterman <scott@kitterman.com>]

On Monday, April 18, 2016 01:21:16 PM Alessandro Vesely wrote:
> On Sat 16/Apr/2016 18:10:47 +0200 Scott Kitterman wrote:
> > On April 16, 2016 11:38:24 AM EDT, "Murray S. Kucherawy" 
<superuser@gmail.com> wrote:
> >> On Sat, Apr 16, 2016 at 8:20 AM, Alessandro Vesely <vesely@tana.it> 
wrote:
> >>> Yes, I rejected your proposal to use policy.zone=lists.dnswl.example,
> >>> because it disagrees with the only existing implementation.  When that
> >>> was discussed, the syntax dns.zone=lists.dnswl.example was chosen
> >>> because a DNSxL is a zone in the DNS, according to, say, RFC5782.
> >>> Nobody realized that "dns" is not a valid RFC7601 ptype (and I still
> >>> don't understand why).
> >> 
> >> I've gone over the "why" with you at some length both at the Berlin
> >> meeting and now on a thread subsequent to your request to IANA.
> >> 
> >> While I'm sympathetic to some degree with the "installed base" argument,
> >> I don't think it's reasonable to accept a registration that doesn't fit
> >> within the defining RFC merely because there's a single existing
> >> incorrect implementation.
> > 
> > While I normally give pragmatic arguments (like alignment to existing
> > practice) a lot of weight, in this case I agree with Murray that it would
> > be a mistake.
> > 
> > If you look at the discussion of iprev in
> > http://tools.ietf.org/html/rfc7601#section-2.7.3 it covers the exact same
> > ground as this proposal with regards to ptype selection.  I believe it's
> > clear that policy is the correct choice.
> 
> I guess you mean the paragraph:
> 
>    The result is reported using a ptype of "policy" (as this is not part
>    of any established protocol) and a property of "iprev".
> 
> That looks like an explanation of the naming, it doesn't seem to mandate
> that every ptype must be "policy" unless the related property belongs to an
> established protocol.  The definition of "policy" in Section 2.4 differs.
> 
> Would a name like, say, client.ip=192.0.2.1 have been an equally valid
> choice?
> > In order to add the proposed new ptype, I think the ptype definition in
> > http://tools.ietf.org/html/rfc7601#section-2.3 would have to be changed
> > and
> > that would require a standards track update to RFC 7601.  I don't think
> > you
> > want to go down that path.
> 
> From that definition it is not clear if or why a method is bound to use at
> most one ptype.
> 
> My understanding was that RFC7410 allowed to add new ptypes as needed
> without having to update the A-R header field name definition each time. 
> Can you envisage what kind of change would be required in order to call A
> DNS zone dns.zone?

The definition of ptype includes:

   The "ptype" in the ABNF above indicates the general type of property
   being described by the result being reported, upon which the reported
   result was based.  Coupled with the "property", which is more
   specific, they indicate from which particular part of the message the
   reported data were extracted.

The exception to ptype + property indicating which particular part of the 
message from which the data is extracted is policy.  Iprev falls into policy 
specifically because (IMO) there is nothing extracted from the message.  All 
the information is from the IP connection (i.e. the address) and from DNS (the 
rdns lookup).  

This is exactly the same situation as your DNSWL proposal, so I see no reason 
to treat it differently.  Furthermore, I think that paragraph would need to be 
changed (and not via errata) to broaden the ptype definition to do what you 
propose, so even if I thought a dns ptype was appropriate, it couldn't just be 
added to the registry.

Iprev is connect IP plus DNS lookup.  Perhaps if you could explain why you 
think your DNSWL proposal is somethine else, it would help?

Scott K