Re: [dane] Start of WGLC for draft-ietf-dane-openpgpkey - *please* review.
Brian Dickson <brian.peter.dickson@gmail.com> Thu, 26 February 2015 01:24 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D49EF1A92BB for <dane@ietfa.amsl.com>; Wed, 25 Feb 2015 17:24:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sw7FPhHLXMgc for <dane@ietfa.amsl.com>; Wed, 25 Feb 2015 17:24:01 -0800 (PST)
Received: from mail-ie0-x235.google.com (mail-ie0-x235.google.com [IPv6:2607:f8b0:4001:c03::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 693C01A007A for <dane@ietf.org>; Wed, 25 Feb 2015 17:24:01 -0800 (PST)
Received: by iecrp18 with SMTP id rp18so10085929iec.9 for <dane@ietf.org>; Wed, 25 Feb 2015 17:24:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=hZk9fndfBhXwgHtP5o/9y7UdtFqcFZmPTCsk670e2BU=; b=CSlI17S3tEkHC8CMBftXY0p8ErU15NoHsYSTNfuWWJqmrrkyDSB9Y/6nicVR2WL8Hr 21SGNay5agwc1QzeV/H75tSO/ANlOF9hbmlsFzAaZTPob0dF2V37ivp7olgapB8TPpbP mmEHFZ2u35iqnwfXYkbICyv0R9Jn2PyN0hNBf1X8IDaLMa010Lo+APD0s2KmIN0BAOS4 lvCmmwLyub5Jmjd6smKTO8cW0i8bSQnvB0tdEa6xsb+NQFYJCUu+H2WnQ+EPu9mQqxCh SenEZZQm18NMXDCCukgp1PUE5EKDsnIjK9wsAjBEmW3YlRhOsO6zz8ifh1mrh4WOpkm0 v+zg==
MIME-Version: 1.0
X-Received: by 10.107.169.42 with SMTP id s42mr8579160ioe.46.1424913840553; Wed, 25 Feb 2015 17:24:00 -0800 (PST)
Received: by 10.64.80.193 with HTTP; Wed, 25 Feb 2015 17:24:00 -0800 (PST)
In-Reply-To: <20150226003139.GK1260@mournblade.imrryr.org>
References: <001b01d04f1c$f626c940$e2745bc0$@augustcellars.com> <20150223040833.GF1260@mournblade.imrryr.org> <CAHw9_iJ167aCbpW=Fni0h_vsWLcWQVLC1P7vkr6X0cmAV9zG=g@mail.gmail.com> <20150223225630.GO1260@mournblade.imrryr.org> <CAHw9_iKNwGBOqdLm04Lqox6ai5tzK1Q-WfkxY=Qvtx+uOG1Qpw@mail.gmail.com> <alpine.LFD.2.10.1502251246430.3004@bofh.nohats.ca> <20150225181322.GU1260@mournblade.imrryr.org> <alpine.LFD.2.10.1502251356430.6550@bofh.nohats.ca> <20150225191500.GZ1260@mournblade.imrryr.org> <CAH1iCipV1Mi03d-AGDHsZv5Lm=OT6ta3m7vBU5uJWsXhN89TzA@mail.gmail.com> <20150226003139.GK1260@mournblade.imrryr.org>
Date: Wed, 25 Feb 2015 17:24:00 -0800
Message-ID: <CAH1iCipBn50FnybmEg-fnBN3R1cnGnd++xx8O6B3uULhHWiO=Q@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
To: "dane@ietf.org" <dane@ietf.org>
Content-Type: multipart/alternative; boundary="001a1142dc0c4d4393050ff39bc9"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/YrBwqoRNXtiK3kDjvOerNsI6u-I>
Subject: Re: [dane] Start of WGLC for draft-ietf-dane-openpgpkey - *please* review.
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Feb 2015 01:24:04 -0000
On Wed, Feb 25, 2015 at 4:31 PM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: > On Wed, Feb 25, 2015 at 01:41:19PM -0800, Brian Dickson wrote: > > > There are implications to DNS resolution & caching, if you consider stub, > > recursive, and authoritative actors. It may be the case that multiple > > queries need to be done by the stub, regardless of approach. However, if > > policy discovery involves looking up a single common record per DNS zone > > (e.g. rhs of email address), then this is cacheable and reduces both the > > size of the publishing zone, as well as the number of queries by the > > recursive to the authoritative, per client query. > > > However, this does not substantively impact the scalability of DNS > caching, by which I mean that the number of cache entries is > increased by a factor of two rather than some much larger factor. > For all but the most unusual domains, I would expect the user queries to be all long-tail, with no substantial busy user set. So, the caching of the policy record improves client query count (1 vs 2), times total volume to the zone. I would even expect that individual user entries to have TTL = 0, as there is little to no value in caching individual records. (Stubs might briefly cache, as might MTAs, but that is at the app layer, not the DNS resolver.) The real problem is the number of entries required in the zone. (see below) > > > _casefolding RRTYPE RDATA as a way of allowing the zone owner to publish > > all the case-folding rules for the zone, and require the client to use > this > > to discover the canonical (published) owner name for a given email > address. > > This complicates the client code, but avoids the factor of two in > the number of cached records. > > To use the gmail example, I just did a test. I was previously unaware of the "s/\.//g" behavior. But, it is real. So, I sent mail to a never-before-used variant of my name, "br.i.an" instead of "brian". Lo and behold, it was delivered to my mailbox. If the goal was to preserve this behavior, while having MUAs look up keys, without a policy mechanism, it would be necessary to publish 2^(N-1) records for every name of length N. If the average length of a name were 11 characters, then 2^10 = 1024 records would be needed per user. This takes O(10e9) and turns it into O(10e12), of thing which have to be hashed, signed, and then NSEC/NSEC3-ified. So, the publishing side takes a disproportionate hit. Have the client understand a very limited set of case-folding rules, which could be used universally, is clearly preferable, even to the client, IMHO. Brian
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Warren Kumari
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Alexey Melnikov
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Warren Kumari
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Paul Wouters
- Re: [dane] Start of WGLC for draft-ietf-dane-open… John Levine
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Viktor Dukhovni
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Brian Dickson
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Petr Spacek
- [dane] Start of WGLC for draft-ietf-dane-openpgpk… Warren Kumari
- Re: [dane] Start of WGLC for draft-ietf-dane-open… James Cloos
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Viktor Dukhovni
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Paul Wouters
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Viktor Dukhovni
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Brian Dickson
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Paul Wouters
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Paul Wouters
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Viktor Dukhovni
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Brian Dickson
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Viktor Dukhovni
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Brian Dickson
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Jim Schaad
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Viktor Dukhovni
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Jim Schaad
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Viktor Dukhovni
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Warren Kumari
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Jim Schaad
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Viktor Dukhovni
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Jim Schaad
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Brian Dickson
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Viktor Dukhovni
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Rose, Scott W.
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Warren Kumari
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Warren Kumari
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Paul Wouters
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Paul Wouters
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Viktor Dukhovni
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Paul Wouters
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Viktor Dukhovni
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Brian Dickson
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Viktor Dukhovni
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Brian Dickson
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Coyo
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Petr Spacek
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Paul Wouters
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Petr Spacek
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Paul Hoffman
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Paul Hoffman
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Lyndon Nerenberg
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Paul Wouters
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Jon Callas
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Warren Kumari
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Paul Wouters
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Paul Hoffman
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Alexey Melnikov
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Paul Wouters
- Re: [dane] Start of WGLC for draft-ietf-dane-open… James Cloos
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Rose, Scott W.
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Pieter Lexis
- Re: [dane] Start of WGLC for draft-ietf-dane-open… Paul Wouters