Re: [dbound] Updated draft-levine-orgboundary-03
Casey Deccio <casey@deccio.net> Thu, 12 November 2015 16:41 UTC
Return-Path: <casey@deccio.net>
X-Original-To: dbound@ietfa.amsl.com
Delivered-To: dbound@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 469061B3005 for <dbound@ietfa.amsl.com>; Thu, 12 Nov 2015 08:41:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jq6xnpJ3SNAZ for <dbound@ietfa.amsl.com>; Thu, 12 Nov 2015 08:41:21 -0800 (PST)
Received: from mail-wm0-x22c.google.com (mail-wm0-x22c.google.com [IPv6:2a00:1450:400c:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 206B21B2AF8 for <dbound@ietf.org>; Thu, 12 Nov 2015 08:41:21 -0800 (PST)
Received: by wmww144 with SMTP id w144so96532709wmw.0 for <dbound@ietf.org>; Thu, 12 Nov 2015 08:41:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=deccio.net; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=mMdXvaBi9VoWVrYjDSPCf/8wQEyoje1LyybOjl8IYbg=; b=X8nbV4FBHG2hafQnpbmQR5i9AHCFIrPWE9rGfv5et10YG/m986J7ORQp7B3JFaaLe2 /jL0Huwr2xACdRny8+z0uPPdYLZDFuDPKjXG6VD1+uOwaJwdYrApzM5gr907ciz2BsoT TpiLZ8Kz6Dso4wFeI/YBjrvLJ/LCBrC5lC32k=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=mMdXvaBi9VoWVrYjDSPCf/8wQEyoje1LyybOjl8IYbg=; b=GjBPil3YFYVDBqURchK3jwdj1YhbpPEBe0jKqXs/RRC3FhzFmGqRvDoH7YAUXLPkg3 nESO4GsXRaD5Gz/feei/5z/KH8ctqQGjN5Bq4VT6sr3YMDg5rwdueAW4t06SHmhQmMYU 94hIy1Cddo+eFFQi1+y38P9Ncp0XzTSJhOmPU7E4EYdh3wxcbFTUCOF8COYXqYoC0RW9 7y/L/qsuFAbuI+f+iqCpl7gq/Vus1/lo+gqPWijZw20FusZOa4Qhy4SwKpXnLVWQzlM5 HXXvaTU1LMywUBoVu8R7L2q1G8/VRmcnqRWVtq+9Q/2Pn8/O7kYkwRN7caYcEoGkRn/O ETfA==
X-Gm-Message-State: ALoCoQmOdje6xWFhVMRaPsUURVOSzGK5Vosf+G9zk5nLrdDame6Hg82rA90URoex56I1wMVlZOY0
MIME-Version: 1.0
X-Received: by 10.28.216.196 with SMTP id p187mr49631978wmg.14.1447346479370; Thu, 12 Nov 2015 08:41:19 -0800 (PST)
Received: by 10.195.12.137 with HTTP; Thu, 12 Nov 2015 08:41:19 -0800 (PST)
In-Reply-To: <20151112021154.2231.qmail@ary.lan>
References: <alpine.OSX.2.11.1511091838260.92970@ary.local> <20151112021154.2231.qmail@ary.lan>
Date: Thu, 12 Nov 2015 11:41:19 -0500
Message-ID: <CAEKtLiQAiQ2gnv5828yifGCZb_0oH1kTSLsx8p0EaPoqA-k=ig@mail.gmail.com>
From: Casey Deccio <casey@deccio.net>
To: John Levine <johnl@taugh.com>
Content-Type: multipart/alternative; boundary="001a11469002c56da705245a9c13"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dbound/3RHHolgz1ka2fvlWng-3UqDbA8Q>
Cc: "dbound@ietf.org" <dbound@ietf.org>
Subject: Re: [dbound] Updated draft-levine-orgboundary-03
X-BeenThere: dbound@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS tree bounds <dbound.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dbound>, <mailto:dbound-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dbound/>
List-Post: <mailto:dbound@ietf.org>
List-Help: <mailto:dbound-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dbound>, <mailto:dbound-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Nov 2015 16:41:23 -0000
Hi John, On Wed, Nov 11, 2015 at 9:11 PM, John Levine <johnl@taugh.com> wrote: > Not to toot my own horn or anything, but I really think this does most > of what people have said they want DBOUND to do, published in the DNS, > with each domain publishing its own info in the tree it controls, no > new TLDs or other administratively painful changes, provision for > different boundaries for different applications, and most checks in > one or two DNS queries regardless of how deep the name tree is. > > What's not to like? > > I've given the draft a detailed read. In general, the approach is admittedly very similar to that in draft-deccio-dbound-organizational-domain-policy (ODUP) Some differences are a matter of preference, and others have more technical implications. - Both drafts use "opt-out" models. - Terminology concerns (nits): - Boundaries vs. policies: both drafts mention boundaries and policies. While there are similarities, and in particular, policies often utilize boundaries, they aren't one and the same. Yet that they seem to be portrayed as such in the draft. - "Organization" (e.g., "belongs to the same organization"). The way I understand the understand "organization" doesn't coincide with how it is used in this draft. I don't think of an organizational boundary as something associated with a service or policy. For example, I don't see how a cookie policy changes the organizational boundary between two domains. I see "policy boundary" on occasion. Perhaps the two simply need to be reconciled. - Lookup process - the process is very similar to that in ODUP. Some similarities and differences follow: - They both have iteration-stopping mechanisms (NXDOMAIN for ODUP; NOLOWER for the current draft). - The current draft begins queries at the TLD, rather than at the root (well, the _odup TLD anyway). - The current draft uses the entire DNS name (plus the _bound label) to create the qname to be queried; in ODUP, each label is considered separately. There are revealing components to both (discussed on the ODUP draft and in other email threads), but the latter is the more conservative approach. - There is no "default" policy behavior in the current draft; the default policy behavior in ODUP is current behavior. - There is no mechanism for offline lookup in the current draft, contrasted with the ability to download policy realms (including the policy-negative realm and other high-profile realms) for local use in the ODUP draft. - Because one record for each service/policy is required, there are potentially n*m lookups. So while the performance is O(n) for any given service, it is O(n*m) for all services/policies. Some applications would require understanding of multiple policies. Contrast this with a hard O(n) with ODUP, which has a consolidated service list. - The following is a confusing sentence for "boundary node": "the one above the closest node to the root that also belongs to the same organization as the input domain name." It is somewhat clarified by the sentence immediately after, but the qualifiers in the sentence itself are ambiguous. - Why the use of wildcards? The time complexity doesn't improve with this. It just seems like added complexity, so you can query for the entire name, rather than label-by-label. But as, mentioned previously, this is revealing to higher level DNS authorities. - What would be the road map to deploy this "now", given existing application behavior? This was one of the big reasons for the design of ODUP: to provide a mechanism that is backwards compatible with existing behaviors and has a transition path for expansion, with the idea that it is technically capable of going "now". Cheers, Casey
- [dbound] Updated orgboundary draft John R Levine
- Re: [dbound] Updated draft-levine-orgboundary-03 John Levine
- Re: [dbound] Updated draft-levine-orgboundary-03 Casey Deccio
- Re: [dbound] Updated orgboundary draft Casey Deccio
- Re: [dbound] Updated draft-levine-orgboundary-03 John R Levine
- Re: [dbound] Updated orgboundary draft John R Levine
- Re: [dbound] Updated draft-levine-orgboundary-03 Casey Deccio
- Re: [dbound] Updated draft-levine-orgboundary-03 John R Levine
- Re: [dbound] Updated draft-levine-orgboundary-03 Casey Deccio