IETF Logo Mail Archive

Re: [art] [dbound] [DNSOP] Related Domains By DNS (RDBD) Draft

"John R Levine" <johnl@taugh.com> Thu, 28 February 2019 02:32 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: art@ietfa.amsl.com
Delivered-To: art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1088D130ED7 for <art@ietfa.amsl.com>; Wed, 27 Feb 2019 18:32:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=emMCvgpa; dkim=pass (1536-bit key) header.d=taugh.com header.b=e+3HvQXz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4pZz69VEPXuf for <art@ietfa.amsl.com>; Wed, 27 Feb 2019 18:32:45 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53B25130ECF for <art@ietf.org>; Wed, 27 Feb 2019 18:32:45 -0800 (PST)
Received: (qmail 77842 invoked from network); 28 Feb 2019 02:26:02 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:reply-to:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=13010.5c7746ba.k1902; bh=Wxb+hi/5EMyLFyUCETSfRwCTOLBNlQBTbflQPi1EI+o=; b=emMCvgpaOSescRVqB9Ao9w/lhZBFh05qn0Rdsovxtt7LyKkd28WBSfCKXO8dVYMIosDzRRRMMwl/pwpDwF2VUdajOCWvNqGi4EORhzD7/xkN++qnIFblN5H9BYVU8xE01/iVb/U5ueKFoTBKcUJUp7UGZO8vgG29IXyWxJRZ+i2yk15cPnxfMzqohPReUGIhX4500JYVlxD+xqqF+59hGtfIBIR7jvLofjXhgqm4dOKRgJeNvnUB1JeQYf0QyaQn
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:reply-to:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=13010.5c7746ba.k1902; bh=Wxb+hi/5EMyLFyUCETSfRwCTOLBNlQBTbflQPi1EI+o=; b=e+3HvQXzbC6+OzrHGujW9T0rnpjVQxsocUg/SOT+2TmLVpABzYVOzICJfSL4E87/f1evIuSo7QJ85G1i4qtfsWjJHlZoxEqIF+5zeCuEAuQddt3TqnFLys618YYYC1MntimHeOgEirq3iPFNAam6Ohf7gGvFzQTbelInDN+PXTAVtSkcv/Nko/0egOk0Ualut8Sz9cfcWelvIiZdU3+C/4RLK7LxBGtPbVFxQsHVDiDPxJ6vQKEfVgt0T5jxNLWh
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 28 Feb 2019 02:26:02 -0000
Date: Wed, 27 Feb 2019 21:26:01 -0500
Message-ID: <alpine.OSX.2.21.1902272123390.3497@ary.local>
From: John R Levine <johnl@taugh.com>
Reply-To: dbound@ietf.org
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: dbound@ietf.org, art@ietf.org, dnsop@ietf.org
In-Reply-To: <7af62833-8ec7-df92-9241-1f8ce92b0d9a@cs.tcd.ie>
References: <20190228020332.D2112200F6CEC9@ary.local> <7af62833-8ec7-df92-9241-1f8ce92b0d9a@cs.tcd.ie>
User-Agent: Alpine 2.21 (OSX 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/art/qNSdX1-FINKlsor0gknOcEsokg8>
Subject: Re: [art] [dbound] [DNSOP] Related Domains By DNS (RDBD) Draft
X-BeenThere: art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications and Real-Time Area Discussion <art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/art>, <mailto:art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/art/>
List-Post: <mailto:art@ietf.org>
List-Help: <mailto:art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/art>, <mailto:art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Feb 2019 02:32:47 -0000

On Thu, 28 Feb 2019, Stephen Farrell wrote:
>> bar.org._same.foo.com. SAME .	; yes, we're a primary for whatever name that was
>> _same.bar.org. SAME foo.com. ; yes, we're secondary for foo.com.

> Yep, that could work. I still prefer the design in our
> -00 though (sorry:-) as in your scheme here foo.com's zone
> will have to change with every change in a linkage whereas
> in the -00 design, changes are only needed in each of the
> bar.org zones that actually do change. (I think the counter
> to that might relate to difficulty in synchronising changes
> to keys/selectors in our -00 design which can have unexpected
> effects as we saw in the case of DKIM and a particular mail
> corpus leak in 2016;-).

Sure, but pick your poison.  With your scheme you need a mutant DKIM 
signer at the primary and a way to send the result to the secondary.  With 
mine, you just add a record.  I realize that one or the other may be 
easier depending on where an organization's processes are broken but it's 
not obvious to me that the more complex design has an easier process.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

v2.23.0 | Report a Bug | By Email