IETF Logo Mail Archive

Re: [dbound] BoF request for IETF 115

"Vixie, Paul" <upavixie@amazon.com> Fri, 23 December 2022 02:09 UTC

Return-Path: <prvs=349fe653d=upavixie@amazon.com>
X-Original-To: dbound@ietfa.amsl.com
Delivered-To: dbound@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AAECCC14F743 for <dbound@ietfa.amsl.com>; Thu, 22 Dec 2022 18:09:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.9
X-Spam-Level:
X-Spam-Status: No, score=-11.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lQ8BrGsQWJVp for <dbound@ietfa.amsl.com>; Thu, 22 Dec 2022 18:09:10 -0800 (PST)
Received: from smtp-fw-6001.amazon.com (smtp-fw-6001.amazon.com [52.95.48.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08C7DC14F741 for <dbound@ietf.org>; Thu, 22 Dec 2022 18:09:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1671761351; x=1703297351; h=from:to:cc:date:message-id:content-id: content-transfer-encoding:mime-version:subject; bh=jCewReYEu/7CaAGV9KRudHh94AijJCzNwV+srjZjolM=; b=LsGtLgDCf5+scibjP0jcd0nNqFnDT7DEXMyCESJED34RoXA5I0NUE0kt aFbARLxd8pWVb5aaHpvEPd8aI+37fOEyieeMNCLmygU+lbPF5SbPAL43O /lKka0Um/04cjP9bWrbSFl5yeWzNG9vH3adn+H3mn1L8bxdWqDwLBsTra I=;
X-IronPort-AV: E=Sophos;i="5.96,267,1665446400"; d="scan'208";a="281977374"
Thread-Topic: [dbound] BoF request for IETF 115
Received: from iad12-co-svc-p1-lb1-vlan2.amazon.com (HELO email-inbound-relay-iad-1e-m6i4x-6e7a78d7.us-east-1.amazon.com) ([10.43.8.2]) by smtp-border-fw-6001.iad6.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 23 Dec 2022 02:09:07 +0000
Received: from EX13MTAUWB002.ant.amazon.com (iad12-ws-svc-p26-lb9-vlan2.iad.amazon.com [10.40.163.34]) by email-inbound-relay-iad-1e-m6i4x-6e7a78d7.us-east-1.amazon.com (Postfix) with ESMTPS id A591181A52; Fri, 23 Dec 2022 02:09:06 +0000 (UTC)
Received: from EX19D036UWB003.ant.amazon.com (10.13.139.172) by EX13MTAUWB002.ant.amazon.com (10.43.161.202) with Microsoft SMTP Server (TLS) id 15.0.1497.42; Fri, 23 Dec 2022 02:09:06 +0000
Received: from EX19D036UWB002.ant.amazon.com (10.13.139.139) by EX19D036UWB003.ant.amazon.com (10.13.139.172) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1118.20; Fri, 23 Dec 2022 02:09:05 +0000
Received: from EX19D036UWB002.ant.amazon.com ([fe80::23a6:1fe3:c104:21b6]) by EX19D036UWB002.ant.amazon.com ([fe80::23a6:1fe3:c104:21b6%4]) with mapi id 15.02.1118.020; Fri, 23 Dec 2022 02:09:05 +0000
From: "Vixie, Paul" <upavixie@amazon.com>
To: John R Levine <johnl@taugh.com>
CC: "dbound@ietf.org" <dbound@ietf.org>
Thread-Index: AQHZFnOIdfLQrndV/kK/FA7vXaeIqQ==
Date: Fri, 23 Dec 2022 02:09:05 +0000
Message-ID: <C21540C4-F3BE-4EF6-B891-BCC03F8D0E96@amazon.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.85.218.183]
Content-Type: text/plain; charset="utf-8"
Content-ID: <23D8FD56AFBB6A4F9217418608650FED@amazon.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dbound/29epxPXt5NjtrmlskZmKUBbqOH0>
Subject: Re: [dbound] BoF request for IETF 115
X-BeenThere: dbound@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DNS tree bounds <dbound.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dbound>, <mailto:dbound-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dbound/>
List-Post: <mailto:dbound@ietf.org>
List-Help: <mailto:dbound-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dbound>, <mailto:dbound-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Dec 2022 02:09:10 -0000

See inline. (Sorry, it's Outlook.)

-- 

Paul Vixie
VP & Distinguished Engineer

-----Original Message-----
From: John R Levine <johnl@taugh.com>
Date: Thursday, December 22, 2022 at 14:51

    Vixie: ... ability to (as an example) let google.com set a cookie which would be sent to gmail.com. I agree that it's a hard problem. If someone wants to work on that problem in the IETF, I have yet to see evidence of that interest. The coalition of the willing that I hope we can isolate for this WG is narrowly just the thing Tim quoted out of the earlier charter:

        Tim: What appears to be needed is a mechanism to determine policy realm
        boundaries in the DNS.  That is, given two domain names, one needs to
        be able to answer whether the first and the second are either within
        the same policy realm or have policy realms that are related in some
        way.

    John: The hard bit is to do it in a way that people are willing to use.  If
    domain owners are willing to put a few records in the DNS and domain users
    are willing to do a DNS lookup or two each time they're checking a
    boundary, then my thing or Casey's should work.

If by "it" you mean my example (google.com can set-cookie for gmail.com) then it's out of scope for the BOF and we can stop workshopping it here. Nobody so far has said they want to work on it. If someone like that shows up we can try to find them some co-authors.

If by "it" you mean putting PSL-like stuff into the DNS per your (John's) 2016 draft, then I do not expect some people (like browser makers) to be "willing to use it" unless it gets aggregated. A team who wants to do what the PSL team does now can aggregate from the DNS schema that your 2016 draft (or Casey's for that matter) defines. If we want IANA (via ICANN) to operate a PSL-like aggregator we can write a second draft explaining how that should work based on querying the data that's published according to the schema of the first draft.

Publication is one problem. Access is an opportunity. See for example dnsdbq (URL as previously given) where we'd like to be able to do these lookups in real time as part of doing passive DNS investigations.

Another access opportunity is aggregation. Aggregation would become a second problem.

If we conjoin all these problems we will get 2016-style mud.

    ... If you want to be able to
    prefetch everything, they won't.

So, I could disagree. Any decent passive DNS database can "prefetch everything" even if there is no linkage in the DNS tying related records together. This is routinely done for SPF and DMARC now. However, none of that matters, so I won't disagree on that basis. Instead I will say that not everyone wants to prefetch everything, and the requirement to do so is one of the problems with the PSL today. Some of us want to fetch on demand. We can't. We are hoping to be able to fetch on demand after there is an IETF-defined DNS schema as to how to do so. Once that is done, the people who "want to be able to prefetch everything" will be able to prefetch that in a directed way ("whosoever asks a PSL-like team to prefetch their data").

In no case need the data be independently prefetchable without a priori knowledge such as a list of domains to prefetch DBOUND data from. I hope we can erase that use case from our thinking because _that_ cannot be done in a way that people will use, so it would be dooming.

    ... Our approach has the advantage that
    people publish in their own zones so there's no question whether they are
    authorized.  If it's published somewhere else that might make the
    prefetching easier (put them all in one zone you can xfer) but now we need
    some way to check what's authorized.  Like I said, it's hard.

I like those words "no question whether they are authorized" and I think you could have ended your statement at that point. Nobody has said that they want to work on the other problem but if they do we can try to build a team for them. It's a separable problem so we must separate it.

v2.23.0 | Report a Bug | By Email