Re: [dane] Deployment considerations - Re: draft-ietf-dane-smime

Mark Andrews <marka@isc.org> Mon, 20 October 2014 23:11 UTC

Return-Path: <marka@isc.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39C741ACD85 for <dane@ietfa.amsl.com>; Mon, 20 Oct 2014 16:11:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.311
X-Spam-Level:
X-Spam-Status: No, score=-6.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_45=0.6, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yo178IAgFTjC for <dane@ietfa.amsl.com>; Mon, 20 Oct 2014 16:11:10 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB8061ACFBB for <dane@ietf.org>; Mon, 20 Oct 2014 16:09:09 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.pao1.isc.org (Postfix) with ESMTP id 2D0163493BE; Mon, 20 Oct 2014 23:09:07 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id D2BD9160069; Mon, 20 Oct 2014 23:12:14 +0000 (UTC)
Received: from rock.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id 7C4B6160068; Mon, 20 Oct 2014 23:12:14 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id D062A221CDAB; Tue, 21 Oct 2014 10:09:04 +1100 (EST)
To: Dan York <york@isoc.org>
From: Mark Andrews <marka@isc.org>
References: <273F9612-13AF-4CB8-B15C-912AAD04C738@verisign.com> <CF875C06-E4DA-4DCA-A722-5FDEE04B3069@vpnc.org> <67BDE5B6-58C7-4E0B-8CB4-045E51027D85@ieca.com> <3473729E-BC37-48DB-9ACD-FB872CB666DE@vpnc.org> <FE426405-9658-41BD-BD3B-68D358CC3CEB@verisign.com> <63BF3336-C9B8-4D16-BEB7-D42EFBB7A113@vpnc.org> <BCC05ED4-DA78-40B6-A1DE-8CDFA3CBE04D@isoc.org>
In-reply-to: Your message of "Mon, 20 Oct 2014 16:52:21 -0000." <BCC05ED4-DA78-40B6-A1DE-8CDFA3CBE04D@isoc.org>
Date: Tue, 21 Oct 2014 10:09:04 +1100
Message-Id: <20141020230904.D062A221CDAB@rock.dv.isc.org>
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/W6hsPfvwAQaeGP4-avK3sUnoigw
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, "<dane@ietf.org>" <dane@ietf.org>
Subject: Re: [dane] Deployment considerations - Re: draft-ietf-dane-smime
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Oct 2014 23:11:25 -0000

In message <BCC05ED4-DA78-40B6-A1DE-8CDFA3CBE04D@isoc.org>rg>, Dan York writes:
>
>
> On Oct 20, 2014, at 11:54 AM, Paul Hoffman
> <paul.hoffman@vpnc.org<mailto:paul.hoffman@vpnc.org>> wrote:
>
> On Oct 20, 2014, at 8:23 AM, Osterweil, Eric
> <eosterweil@verisign.com<mailto:eosterweil@verisign.com>> wrote:
>
> , so necessarily coupling the RRs doesn't seem to make sense.
>
> It has so far in the WG. The WG asked us early on to make as few changes
> as possible to the TLSA definition.
>
> This is a key point to me.  If we are to make DANE truly successful and
> get DANE-related records out there widely, they need to be *easily*
> deployed out there.  Right now, for a great number of people out there,
> their experience of adding DNS records is to go to their DNS hosting
> provider (or very often their DNS *registrar* that is also doing the DNS
> hosting for them) and enter in DNS records through some form of web
> interface.
>
> One of the challenges we *already* face is to get those DNS hosting
> providers to add support for TLSA records.  I just went to the "domain
> manager" for an extremely larger registrar/hosting provider and looked at
> the list of DNS records that I can add as a user:  A, CNAME, MX, TXT,
> SPF, SRV, AAAA, NS.   No TLSA.  No option I saw to edit the zone file
> directly.
>
> Until we can get that large DNS registrar/hosting provider to add support
> for TLSA records to the management GUI, all the people using them can't
> use DANE.    Given the zillion other things they want to do, I would
> suspect that it's going to take some good number of customers asking to
> get them to do so.   And that's just *one* DNS hosting provider.
>
> I think it's going to be hard enough to get DNS hosting providers to add
> the TLSA record to their list of supported record types, let alone asking
> them to *also* add the SMIMEA record to the list of supported record
> types.  BUT... if SMIMEA is basically a renamed TLSA, then you can make
> that argument to them "it's just the same fields you have for TLSA but
> with a different name".  If they have already added TLSA support, adding
> SMIMEA can be just a case of re-using the code.   However, if SMIMEA adds
> more fields then it means the DNS hosting providers have to develop new
> code... and so the case has to be made to all of them about why they
> should add yet-another-record-type to their GUIs.
>
> Personally, I think it would be great if every "DANE-like" usage would
> just use the TLSA record... then we have to only fight that battle once
> to get it added into configuration/management GUIs.    But if we are to
> create other TLSA-like records to have different names, let's at least
> please keep them the same so that we can get them all more easily
> deployed.

This is one of the reasons we wrote "named-rrchecker".  It is a
simple tool that can list out the records types it supports so you
can dynamically build a list of named record types to use along side
TYPE#####.

The currently supported type list is:

A NS MD MF CNAME SOA MB MG MR NULL WKS PTR HINFO MINFO MX TXT RP
AFSDB X25 ISDN RT NSAP NSAP-PTR SIG KEY PX GPOS AAAA LOC NXT EID
NIMLOC SRV ATMA NAPTR KX CERT A6 DNAME APL DS SSHFP IPSECKEY RRSIG
NSEC DNSKEY DHCID NSEC3 NSEC3PARAM TLSA HIP CDS CDNSKEY SPF UINFO
UID GID UNSPEC NID L32 L64 LP EUI48 EUI64 URI CAA DLV

It will also parse the matching records using presentation format
if that is known and unknown record format and emit the record in
unknown record format and/or presentation format if that has been
defined.

Unknown record format means you don't have to update the name servers
everytime you update named-rrchecker.  This is suitable to be added
to any master file or to be used as input to nsupdate.

The presentation format is useful for displaying to the user what
they just entered cleaned up / converted from unknown record format.

You don't need to update web forms to add new types.  You just
update named-rrchecker periodically and the front end picks up
support for the new RR type.

Mark

> My 2 cents,
> Dan
>
> --
> Dan York
> Senior Content Strategist, Internet Society
> york@isoc.org<mailto:york@isoc.org>   +1-802-735-1624
> Jabber: york@jabber.isoc.org<mailto:york@jabber.isoc.org>
> Skype: danyork   http://twitter.com/danyork
>
> http://www.internetsociety.org/deploy360/

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org