[dbound] Thoughts and comments on draft-levine-orgboundary-04
"Kurt Andersen (b)" <kboth@drkurt.com> Tue, 19 January 2016 00:42 UTC
Return-Path: <kurta@drkurt.com>
X-Original-To: dbound@ietfa.amsl.com
Delivered-To: dbound@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F7D81A7005 for <dbound@ietfa.amsl.com>; Mon, 18 Jan 2016 16:42:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.778
X-Spam-Level:
X-Spam-Status: No, score=-0.778 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_37=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id abEV8DBU8Van for <dbound@ietfa.amsl.com>; Mon, 18 Jan 2016 16:42:20 -0800 (PST)
Received: from mail-qk0-x22d.google.com (mail-qk0-x22d.google.com [IPv6:2607:f8b0:400d:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 250F81A7003 for <dbound@ietf.org>; Mon, 18 Jan 2016 16:42:20 -0800 (PST)
Received: by mail-qk0-x22d.google.com with SMTP id s5so36000082qkd.0 for <dbound@ietf.org>; Mon, 18 Jan 2016 16:42:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=drkurt.com; s=20130612; h=mime-version:sender:date:message-id:subject:from:to:content-type; bh=lX0nGvSEo2kEdVEnGOn+5g+WBqvskzISjbkfSwK69ac=; b=QgEbt1yEKwFtvXVD7DWUcvjk205s7URU31Vle3hORCxH1eUudbnXjPCLMrg2Pv+tE+ /ummOd5epXD0h9tKKtawBRUtFRopbpAVsCusz6TbHPynPxJXIiqxHHz6LcrKpfL19qMU rfA8oLKdf3by8hxg3+KsDpisgQNqJ0e/LUmyY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:date:message-id:subject:from :to:content-type; bh=lX0nGvSEo2kEdVEnGOn+5g+WBqvskzISjbkfSwK69ac=; b=OMKnh4crXL/kADtev672qrZZY/RSjvi37NBm9MV3FIEU6YVHa1zIcQ8QV/2mPFq6Sh 63vBz1hZ2nOYhV5sLYRkEYQSx7qEWegQTFg0Lt2A5m4joRlntVMnzCCPIkcothAt9c7y 8RodFPhLBXqEw5VDB+2m6+ILuPtluOPhxUR/4WknNkTQkAeC3QE83atk9WLpS9JmpqG/ MqkgY3gpMhLn1yvPVwbIiWBUTS84vDuRFwII6CGsQO/G90OgYU4owH3xj4KheQxPpFu+ Beae7awHEywuBYAz7Jm5Wlhry6JjQsVdIykRvWRF0VyA0XOTnYVuSecHm/UQg7H23msJ FnWQ==
X-Gm-Message-State: ALoCoQknjlPvrYNCr91jTVipIak6i4pH/k0kFgKU3pbiYo4HNNXfA4a2RbyYB9ZdCPSluC1xQnQJRWIrvdejwG8m/4iWuhwi8A==
MIME-Version: 1.0
X-Received: by 10.55.25.146 with SMTP id 18mr34557899qkz.41.1453164139248; Mon, 18 Jan 2016 16:42:19 -0800 (PST)
Sender: kurta@drkurt.com
Received: by 10.55.42.67 with HTTP; Mon, 18 Jan 2016 16:42:19 -0800 (PST)
Date: Mon, 18 Jan 2016 16:42:19 -0800
X-Google-Sender-Auth: Qc1GyhgUhGfhs2-Dkpw2xDfkPW8
Message-ID: <CABuGu1ofY4OCSMRfZcwwB9hOYj6vaEDixVLLj9T4mC_5kzK8cg@mail.gmail.com>
From: "Kurt Andersen (b)" <kboth@drkurt.com>
To: "dbound@ietf.org" <dbound@ietf.org>
Content-Type: multipart/alternative; boundary="001a1147b2c05216360529a5247a"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dbound/Q_HOkCrv9ok-aMjFtuYVTk2axLI>
Subject: [dbound] Thoughts and comments on draft-levine-orgboundary-04
X-BeenThere: dbound@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS tree bounds <dbound.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dbound>, <mailto:dbound-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dbound/>
List-Post: <mailto:dbound@ietf.org>
List-Help: <mailto:dbound-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dbound>, <mailto:dbound-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jan 2016 00:42:22 -0000
After considering both draft-levine-orgboundary-04 and draft-deccio-dbound-organizational-domain-policy-01 as examples of what was termed during the Yokohama discussion as a "top down" boundary assertion, I have found it much easier to grok the lookup sequence from John's proposal than the one in Casey's. I'm still not sure that I have entirely grasped the nuances and especially the potential corner-case holes that reside within the algorithm proposed by Casey and I don't see the benefit of supporting an "offline" mode since the applicability of the domain boundary lookups is in dealing with online, real time queries. Question regarding the text: The last paragraph of section 2 says "Each domain publishes its own policies". I take this to mean its own boundaries, but would it be more appropriate to say "Each ADMD publishes its own boundaries"? It seems slightly problematic to be dependent on a (potentially uncooperative) parent domain in order for child domains to be looped into the BOUND framework. Since SOA is an established mechanism within DNS management, would it make the mechanism more resilient to follow the SOA chain before branching off to look for BOUND records? As a security measure, the failure to lookup a terminating record with a NOLOWER bit set seems like its interpretation could be application dependent. In the case of cookies or certs, one may want individual name isolation, but in the case of DMARC, that would enable attacks rather than prevent them. Section 3 (and 10) calls for the applications to be indicated as a lookup table managed by IANA. Why not just have defined application mechanisms which could be comma-separated in the record rather than an encoded numeric value? In section 5, paragraph 3, the draft reads "the record would indicate no boundaries. . ." but then the exemplar record is "*._bound.test IN BOUND 0 0 .". Shouldn't that be "*._bound.test IN BOUND 1 0 ." to indicate no boundaries? In section 5, regarding the example with municipal boundaries, using toronto.on.ca, while wildcards work fine for resolving www.toronto.on.ca, would they also "do the right thing" for the same web site answering to " toronto.on.ca" or would they force the boundary up to the on.ca level? This hearkens back to the discussion in the next to last paragraph of section 2 with abc.example. In section 8, the text refers to "a parent publishing records that shadow part or all of the boundary record namespace for delegated subdomains, correct operation depends on the parent and subdomains agreeing about who publishes what" but does not propose any procedural guidance on what sort of division of publishing responsibilities might be reasonable Section 10 (following from the discussion of how to implement as a series of TXT records in section 9) specifies this as a new RRTYPE. I share Murray's concerns based on the experience with the SPF RRTYPE that implementing a new RRTYPE would impede progress on a dbound solution even more so than our difficulties in achieving consensus on the problem statement :-) Nits: - Section 4, first sentence is missing an "and": ". . .takes a domain name an application. . ." --Kurt Andersen
- [dbound] Thoughts and comments on draft-levine-or… Kurt Andersen (b)
- Re: [dbound] Thoughts and comments on draft-levin… Casey Deccio
- Re: [dbound] Thoughts and comments on draft-levin… John Levine